🌱 Upgrade builder image to Go 1.23 (#1562)

guettli · web-flow · commit 5b9c8aa03d08 · 2025-03-18T10:23:35.000+01:00
diff --git a/.builder-image-version.txt b/.builder-image-version.txt
@@ -1 +1 @@
-1.0.22
+1.0.23
diff --git a/.github/workflows/main-promote-builder-image.yml b/.github/workflows/main-promote-builder-image.yml
@@ -10,7 +10,7 @@ jobs:
     name: Promote Latest tag to Caph Builder Image
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/syself/caph-builder:1.0.22
+      image: ghcr.io/syself/caph-builder:1.0.23
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.github_token }}
diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml
@@ -22,7 +22,7 @@ jobs:
     name: "Lint Pull Request"
     runs-on: ubuntu-latest
     container:
-      image: ghcr.io/syself/caph-builder:1.0.22
+      image: ghcr.io/syself/caph-builder:1.0.23
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.github_token }}
diff --git a/.github/workflows/schedule-scan-image.yml b/.github/workflows/schedule-scan-image.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'syself/cluster-api-provider-hetzner'
     container:
-      image: ghcr.io/syself/caph-builder:1.0.22
+      image: ghcr.io/syself/caph-builder:1.0.23
       credentials:
         username: ${{ github.actor }}
         password: ${{ secrets.github_token }}
diff --git a/hack/upgrade-builder-image.sh b/hack/upgrade-builder-image.sh
@@ -16,28 +16,33 @@
 
 # This script is executed in the Update-Bot container.
 # It checks if the Dockerfile for the build container has changed.
-# If so, it uses the version of the main branch as the basis for creating a new image tag. 
-# The script also checks if the image tag for the build image exists in the main branch. 
-# We assume that only one branch and one PR will be created for the changes in the build container. 
+# If so, it uses the version of the main branch as the basis for creating a new image tag.
+# The script also checks if the image tag for the build image exists in the main branch.
+# We assume that only one branch and one PR will be created for the changes in the build container.
 # Therefore, we can update this branch as many times as we want and reuse the next available tag after the one from the main branch.
 
-set -o errexit
-set -o nounset
-set -o pipefail
+# Usage:
+# Step 1: Update images/builder/Dockerfile (for example increate Go version)
+# Step 2: Update .builder-image-version.txt
+# Step 3: Run this script
+
+# Bash Strict Mode: https://github.com/guettli/bash-strict-mode
+trap 'echo "Warning: A command has failed. Exiting the script. Line was ($0:$LINENO): $(sed -n "${LINENO}p" "$0")"; exit 3' ERR
 
 export BUILDER_IMAGE=ghcr.io/syself/caph-builder
 
-REPO_ROOT=$(realpath $(dirname "${BASH_SOURCE[0]}")/..)
+REPO_ROOT=$(realpath "$(dirname "${BASH_SOURCE[0]}")/..")
 cd "${REPO_ROOT}" || exit 1
 
+# shellcheck disable=SC1091
 source "${REPO_ROOT}/hack/semver-upgrade.sh"
 
-if git diff --exit-code .builder-image-version.txt images/builder/Dockerfile images/builder/build.sh > /dev/null; then
+if git diff --exit-code .builder-image-version.txt images/builder/Dockerfile images/builder/build.sh >/dev/null; then
   echo "nothing seems to have changed."
   exit 0
 fi
 
-if [ "${CI:-false}" = true ] ; then
+if [ "${CI:-false}" = true ]; then
   echo "$BUILD_IMAGE_TOKEN" | docker login ghcr.io -u "$BUILD_IMAGE_USER" --password-stdin
 fi
 
@@ -51,19 +56,22 @@ export VERSION
 NEW_VERSION=$(semver_upgrade patch "$VERSION")
 export NEW_VERSION
 
-if ! docker manifest inspect "$BUILDER_IMAGE:$VERSION" > /dev/null; then
+if ! docker manifest inspect "$BUILDER_IMAGE:$VERSION" >/dev/null; then
   echo "could not find image $BUILDER_IMAGE:$VERSION"
   exit 1
 fi
-echo "$NEW_VERSION" > .builder-image-version.txt
+echo "$NEW_VERSION" >.builder-image-version.txt
 echo "Wrote new version $NEW_VERSION to .builder-image-version.txt"
 
-if docker manifest inspect ghcr.io/syself/caph-builder:${NEW_VERSION} > /dev/null ; echo $?; then
-  
+if
+  docker manifest inspect ghcr.io/syself/caph-builder:"${NEW_VERSION}" >/dev/null
+  echo $?
+then
+
   sed -i -e "/^BUILDER_IMAGE_VERSION /s/:=.*$/:= ${NEW_VERSION}/" Makefile
   grep -r -E 'ghcr.io/syself/caph-builder:[0-9].*.*' -l | xargs sed -i -e "s/ghcr.io\/syself\/caph-builder:${VERSION}/ghcr.io\/syself\/caph-builder:${NEW_VERSION}/g"
-  docker build -t ghcr.io/syself/caph-builder:${NEW_VERSION}  ./images/builder
-  docker push ghcr.io/syself/caph-builder:${NEW_VERSION}
+  docker build -t ghcr.io/syself/caph-builder:"${NEW_VERSION}" ./images/builder
+  docker push ghcr.io/syself/caph-builder:"${NEW_VERSION}"
 else
   exit 1
-fi
+fi
diff --git a/images/builder/Dockerfile b/images/builder/Dockerfile
@@ -45,7 +45,7 @@ FROM docker.io/aquasec/trivy:0.60.0@sha256:91c3a842834563a6860dbaec5af7c1949df5c
 ############################
 # Caph Build Image Base #
 ############################
-FROM docker.io/library/golang:1.22.6-bullseye@sha256:3bc1984c6725fdc2ac075004a2aa52131cccc95d2d69fd7b934d343b669e0aa7
+FROM docker.io/library/golang:1.23.7-bullseye@sha256:c4f892cd1906e6bf8a0e181f48babf76331c6f5dc786b709ffc9f591cb7edece
 
 # update: datasource=repology depName=debian_11/skopeo versioning=loose
 ENV SKOPEO_VERSION="1.2.2+dfsg1-1+b6"
