Skip to content

introduce an automation for GHA runner version update #3034

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

introduce an automation for GHA runner version update #3034

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d49b023
introduce an automation for GHA runner version update
mblaze-da Oct 31, 2025
b459d1a
prepare 'Bump GHA runner version' workflow for testing
mblaze-da Nov 3, 2025
e585b9d
add notifications and image build to GHA runner version updater
mblaze-da Nov 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions .github/workflows/bump_gha_runner_version.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Bump GHA runner version (WIP)
on:
# schedule:
# - cron: '30 6 1,15 * *' # Monthly on the 1st and 15th at 06:30
workflow_dispatch:

jobs:
bump_gha_runner_version:
Copy link
Contributor

@martinflorian-da martinflorian-da Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we get notified if this fails? Not 100% sure but I think you need some more boilerplate for that...

S.a.:

splice/.github/actions/tests/failure_notifications/action.yml

Line 1 in 92d74d5

name: Notify Failures

Copy link
Contributor

@martinflorian-da martinflorian-da Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Unless it's super annoying to add, let's add notifications; we're very likely to not notice this getting hard broken otherwise.)

Copy link
Contributor Author

@mblaze-da mblaze-da Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've copied the job from other workflows. I hope it works.

runs-on: ubuntu-24.04
name: Bump GHA runner version
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Check for the latest version and create a PR to splice
uses: ./.github/actions/nix/run_bash_command_in_nix
with:
cmd: |
git config user.email "[email protected]"
git config user.name "DA Automation"
./scripts/bump_gha_runner_version.sh
additional_nix_args: "--keep GH_TOKEN"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
7 changes: 5 additions & 2 deletions cluster/images/splice-test-docker-runner/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
ARG RUNNER_VERSION=2.328.0
ARG RUNNER_DIGEST=sha256:db0dcae6d28559e54277755a33aba7d0665f255b3bd2a66cdc5e132712f155e0

# Note that we don't currently support arm64 runners, so we build this only for amd64
FROM --platform=$BUILDPLATFORM ghcr.io/actions/actions-runner:2.328.0@sha256:db0dcae6d28559e54277755a33aba7d0665f255b3bd2a66cdc5e132712f155e0
FROM --platform=$BUILDPLATFORM ghcr.io/actions/actions-runner:${RUNNER_VERSION}@${RUNNER_DIGEST}

LABEL org.opencontainers.image.base.name="ghcr.io/actions/actions-runner:2.328.0"
LABEL org.opencontainers.image.base.name="ghcr.io/actions/actions-runner:${RUNNER_VERSION}"
#Ideally, we'd reduce duplication between this and splice-test-ci, but we're not tackling that right now

RUN sudo apt-get update && \
Expand Down
7 changes: 5 additions & 2 deletions cluster/images/splice-test-runner-hook/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
ARG RUNNER_VERSION=2.328.0
ARG RUNNER_DIGEST=sha256:db0dcae6d28559e54277755a33aba7d0665f255b3bd2a66cdc5e132712f155e0

# Note that we don't currently support arm64 runners, so we build this only for amd64
FROM --platform=$BUILDPLATFORM ghcr.io/actions/actions-runner:2.328.0@sha256:db0dcae6d28559e54277755a33aba7d0665f255b3bd2a66cdc5e132712f155e0
FROM --platform=$BUILDPLATFORM ghcr.io/actions/actions-runner:${RUNNER_VERSION}@${RUNNER_DIGEST}

LABEL org.opencontainers.image.base.name="ghcr.io/actions/actions-runner:2.328.0"
LABEL org.opencontainers.image.base.name="ghcr.io/actions/actions-runner:${RUNNER_VERSION}"

COPY target/index.js /home/runner/k8s/index.js
COPY target/LICENSE .
2 changes: 1 addition & 1 deletion cluster/pulumi/gha/src/runners.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ function installDockerRunnerScaleSet(
containers: [
{
name: 'runner',
image: `${DOCKER_REPO}/splice-test-docker-runner:${ghaConfig.runnerHookVersion}`,
image: `${DOCKER_REPO}/splice-test-docker-runner:${ghaConfig.runnerVersion}`,
command: ['/home/runner/run.sh'],
env: [
{
Expand Down
46 changes: 46 additions & 0 deletions scripts/bump-gha-runner-version.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#!/usr/bin/env bash

# Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

set -euo pipefail

runner_version=$(
gh release view \
--repo actions/runner \
--json tagName \
| jq -r '.tagName' \
| sed 's/^v//' # remove the 'v' prefix
)

runner_digest=$(
docker manifest inspect "ghcr.io/actions/actions-runner:${runner_version}" \
| jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest'
)

docker_runner_file="${SPLICE_ROOT}/cluster/images/splice-test-docker-runner/Dockerfile"
runner_hook_file="${SPLICE_ROOT}/cluster/images/splice-test-runner-hook/Dockerfile"

sed \
--in-place \
--expression "s/^\(ARG RUNNER_VERSION=\).*/\1${runner_version}/" \
--expression "s/^\(ARG RUNNER_DIGEST=\).*/\1${runner_digest}/" \
"${docker_runner_file}" \
"${runner_hook_file}"

if git diff --exit-code --quiet "${docker_runner_file}" "${runner_hook_file}"; then
echo "GHA runner version is up to date."
exit 0
fi

git add --all
updated_branch="gha-runner-version-bump-$(date +%Y-%m-%d)"
git switch -c "${updated_branch}"
git commit -m "[static] bump GHA runner version to the latest (auto-generated)" -s
Copy link
Contributor

@martinflorian-da martinflorian-da Nov 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is "build docker images" part of [static]?

If not we might want to either:

  • add that (follow-up PR?)
  • do a docker-build here on (only) splice-test-docker-runner?

I think I like the second option more (we change images ~rarely and when we do we typically also do full cluster tests which do build docker images), assuming that 1. we can do that without forcing a full splice build ( 🤞 ) and 2. we get notifications and a failures board entry in case this flow fails (see my other comment).

Copy link
Contributor Author

@mblaze-da mblaze-da Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea! I've added explicit docker-build for these two images.

git push origin "${updated_branch}"

gh pr create \
--base "main" \
--head "$updated_branch" \
--title "Bump GHA runner version to the latest (auto-generated)" \
--reviewer isegall-da,martinflorian-da,ray-roestenburg-da,mblaze-da