[GHA] fix the regexp used for the latest image tag selection

jstourac · jstourac · commit bc0a54f6bdde · 2024-06-19T14:58:20.000+02:00
In case that there is an image tag subpart of another tag, there could be wrong tag chosen and as a result wrong SHA used for the manifest update. E.g. these two: * "rstudio-c9s-python-3.9-2024a-20240315-02193dd", * "cuda-rstudio-c9s-python-3.9-2024a-20240315-02193dd", Example of wrong update #541 (3df148c). Together with this, I also updated the quay security analysis script where is the exact same issue.
diff --git a/.github/workflows/notebooks-digest-updater-upstream.yaml b/.github/workflows/notebooks-digest-updater-upstream.yaml
@@ -84,7 +84,7 @@ jobs:
                 img=$(cat manifests/base/params.env | grep -E "${image}=" | cut -d '=' -f2)
                 registry=$(echo $img | cut -d '@' -f1)
                 src_tag=$(skopeo inspect docker://$img | jq '.Env[] | select(startswith("OPENSHIFT_BUILD_NAME=")) | split("=")[1]' | tr -d '"' | sed 's/-amd64$//')
-                regex="$src_tag-${{ env.RELEASE_VERSION_N}}-\d+-${{ steps.hash-n.outputs.HASH_N }}"
+                regex="^$src_tag-${{ env.RELEASE_VERSION_N}}-\d+-${{ steps.hash-n.outputs.HASH_N }}\$"
                 latest_tag=$(skopeo inspect docker://$img | jq -r --arg regex "$regex" '.RepoTags | map(select(. | test($regex))) | .[0]')
                 digest=$(skopeo inspect docker://$registry:$latest_tag | jq .Digest | tr -d '"')
                 output=$registry@$digest
@@ -164,7 +164,7 @@ jobs:
                 img=$(cat manifests/base/params.env | grep -E "${image}=" | cut -d '=' -f2)
                 registry=$(echo $img | cut -d '@' -f1)
                 src_tag=$(skopeo inspect docker://$img | jq '.Env[] | select(startswith("OPENSHIFT_BUILD_NAME=")) | split("=")[1]' | tr -d '"' | sed 's/-amd64$//')
-                regex="$src_tag-${{ env.RELEASE_VERSION_N_1}}-\d+-${{ steps.hash-n-1.outputs.HASH_N_1 }}"
+                regex="^$src_tag-${{ env.RELEASE_VERSION_N_1}}-\d+-${{ steps.hash-n-1.outputs.HASH_N_1 }}\$"
                 latest_tag=$(skopeo inspect docker://$img | jq -r --arg regex "$regex" '.RepoTags | map(select(. | test($regex))) | .[0]')
                 digest=$(skopeo inspect docker://$registry:$latest_tag | jq .Digest | tr -d '"')
                 output=$registry@$digest
diff --git a/.github/workflows/runtimes-digest-updater-upstream.yaml b/.github/workflows/runtimes-digest-updater-upstream.yaml
@@ -92,7 +92,7 @@ jobs:
                   name="minimal-$name"
               fi
               registry=$(echo $img | cut -d '@' -f1)
-              regex="runtime-$name-$py_version-${{ env.RELEASE_VERSION_N}}-\d+-${{ steps.hash-n.outputs.HASH_N }}"
+              regex="^runtime-$name-$py_version-${{ env.RELEASE_VERSION_N}}-\d+-${{ steps.hash-n.outputs.HASH_N }}\$"
               echo "CHECKING: "  $regex
               latest_tag=$(skopeo inspect docker://$img | jq -r --arg regex "$regex" '.RepoTags | map(select(. | test($regex))) | .[0]')
               digest=$(skopeo inspect docker://$registry:$latest_tag | jq .Digest | tr -d '"')
diff --git a/ci/security-scan/quay_security_analysis.py b/ci/security-scan/quay_security_analysis.py
@@ -81,9 +81,9 @@ def process_image(image, commit_id_path, RELEASE_VERSION_N, HASH_N):
     regex = ""
 
     if RELEASE_VERSION_N == "":
-        regex = f"{src_tag}-(\\d+-)?{HASH_N}"
+        regex = f"^{src_tag}-(\\d+-)?{HASH_N}$"
     else:
-        regex = f"{src_tag}-{RELEASE_VERSION_N}-\\d+-{HASH_N}"
+        regex = f"^{src_tag}-{RELEASE_VERSION_N}-\\d+-{HASH_N}$"
 
     latest_tag_cmd = f'skopeo inspect docker://{img} | jq -r --arg regex "{regex}" \'.RepoTags | map(select(. | test($regex))) | .[0]\''
     latest_tag = subprocess.check_output(latest_tag_cmd, shell=True, text=True).strip()
