feat(ci): auto-build DocumentDB images on new upstream release#410
feat(ci): auto-build DocumentDB images on new upstream release#410Ritvik-Jayaswal wants to merge 9 commits into
Conversation
Closes documentdb#360. Add watch_documentdb_images.yml which polls the upstream documentdb/documentdb repo on a schedule and, when a newer release than the current default is published, builds candidate documentdb + gateway images and opens a version-bump PR (human-merged gate). Make build_documentdb_images.yml and release_documentdb_images.yml reusable via workflow_call (build exposes documentdb_version and image_tag outputs) so the watcher can chain them. Document the automation in image-management.md and AGENTS.md. Signed-off-by: Ritvik Jayaswal <rjayaswal@microsoft.com>
There was a problem hiding this comment.
Pull request overview
Adds CI automation to detect upstream documentdb/documentdb releases and drive the “database image track” (build candidate images → promote to release tags → open a version-bump PR) with a scheduled watcher, reusing existing build/release workflows via workflow_call.
Changes:
- Introduces
.github/workflows/watch_documentdb_images.ymlto pollreleases/latestevery 6 hours (or manually) and chain into build + release workflows. - Exposes
workflow_callinterfaces forbuild_documentdb_images.yml(with outputs) andrelease_documentdb_images.yml(with inputs) to support chaining. - Updates documentation (
image-management.md,AGENTS.md) to describe the new automation and workflow entry.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| docs/designs/image-management.md | Documents the new scheduled upstream release watcher and end-to-end flow. |
| AGENTS.md | Adds the watcher workflow to the CI workflow inventory. |
| .github/workflows/watch_documentdb_images.yml | New scheduled/manual workflow to detect upstream releases and invoke build + release workflows. |
| .github/workflows/release_documentdb_images.yml | Adds workflow_call trigger inputs to allow reusable invocation from the watcher. |
| .github/workflows/build_documentdb_images.yml | Adds workflow_call trigger outputs and updates version resolution + cosign verify identity matching for reusable runs. |
| # Already promoted? If the release tag exists, the bump PR is likely | ||
| # pending review/merge, so don't rebuild on every cron tick. | ||
| echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin | ||
| if docker manifest inspect "ghcr.io/${{ github.repository }}/documentdb:${NEW}" >/dev/null 2>&1; then | ||
| echo "Release image documentdb:${NEW} already exists; version-bump PR is likely pending merge. Skipping." | ||
| echo "should_release=false" >> "$GITHUB_OUTPUT" | ||
| exit 0 | ||
| fi |
|
🤖 Auto-triaged by documentdb-triage-tool. Applied: Reasoningcomponent from path globs (ci, docs); effort from diff stats (235+2 LOC, 5 files); LLM failed: Invalid response body while trying to fetch https://api.anthropic.com/v1/messages: Premature close If a label is wrong, remove it manually and ping |
xgerman
left a comment
There was a problem hiding this comment.
WE want to build the documentdb images from the official packages @guanzhousongmicrosoft is creating. Please adjust the build process.
We also want them to be build that we cna integarte them into the offical CNPG image gallery (see https://github.com/xgerman/postgres-extensions-containers/tree/xgerman/documentdb)
|
also instead of a watch on the documentdb repo we were thinking about using webhooks to trigger builds of new versions upon release |
…hook trigger Address review feedback on PR documentdb#410: - Install postgresql-18-documentdb from the official DocumentDB APT repo (documentdb.io/deb) instead of GitHub-release .deb assets; the meta-package pulls in Citus/RUM/pgvector/PostGIS so explicit cron/pgvector/postgis installs are dropped. APT package version is pinnable per build. - Make repository_dispatch (documentdb-release) the primary trigger for watch_documentdb_images.yml; demote cron to a daily safety-net. Add reference upstream sender workflow as docs/designs/upstream-release-dispatch-sender.md. - Idempotency: skip only when BOTH documentdb and gateway release tags exist; rebuild on partial promotion. - Gateway build unchanged (still from documentdb-local public image). Co-authored-by: Copilot <copilot@github.com> Signed-off-by: Ritvik Jayaswal <rjayaswal@microsoft.com>
|
Thanks for the review @xgerman, pushed a rework (48bad40) addressing your three points:
Also fixed a flagged idempotency bug: the watch job now skips only when both One open question: your branch pins |
…documentdb-images Signed-off-by: Ritvik Jayaswal <rjayaswal@microsoft.com> # Conflicts: # .github/workflows/build_documentdb_images.yml
The official APT repo serves dashed Debian versions (e.g. 0.113-0), not dotted semver. Default the apt pin to VERSION_DASH and verify the exact postgresql-18-documentdb=<version> is present in the stable index (with bounded retry to absorb publish lag) before building, instead of only checking that the repo responds. Addresses review feedback from WentingWu666666 on PR documentdb#410. Co-authored-by: Copilot <copilot@github.com> Signed-off-by: Ritvik Jayaswal <rjayaswal@microsoft.com>
|
e2e should exercise Three linked points: 1. Trigger e2e on Dockerfile changes. paths:
- '.github/dockerfiles/**'2. Triggering alone won't build it — registry mode short-circuits. 3. Fix the build-mode build args for the new contract. In build mode it currently runs: After this PR, One deeper limitation worth calling out: the new Dockerfile installs only from the published APT repo, so build mode can no longer build an image from a locally-compiled |
|
Please attach evidence of a full end-to-end run on your fork before merge. None of the new workflows ( Could you dispatch Expected if it's working end-to-end:
One practical note: run it against a version that's already published to the APT repo and has a matching |
Addresses WentingWu666666's e2e/build-mode review feedback on PR documentdb#410: 1. test-e2e.yml now triggers on .github/dockerfiles/** so Dockerfile_extension changes run e2e. 2. probe-images forces build mode when Dockerfile_extension is in the PR diff, so registry mode no longer short-circuits the modified Dockerfile. 3. Dockerfile_extension gains an optional DOCUMENTDB_DEB_PACKAGE build arg (installed via RUN --mount=type=bind) so build mode validates the source-built/unpublished .deb instead of silently installing the latest published package. Build-mode workflows pass it instead of the now-unused DEB_PACKAGE_REL_PATH; runtime deps still resolve from the official APT repo. Co-authored-by: Copilot <copilot@github.com> Signed-off-by: Ritvik Jayaswal <rjayaswal@microsoft.com>
|
Thanks, all three addressed in ba17048:
This addresses your "deeper limitation" point directly — build mode keeps source-built/unpublished coverage rather than only working for already-published versions. |
The verify step matched the package version with grep -A1 '^Package:' | grep -qx 'Version: ...', which assumes Version is the line immediately after Package. In the real Debian Packages index the stanza order is Package / Source / Version, so the Version line was never captured and the check produced a false negative even when the version was published (e.g. 0.113-0). Replace it with a stanza-aware awk parser. Co-authored-by: Copilot <copilot@github.com> Signed-off-by: Ritvik Jayaswal <rjayaswal@microsoft.com>
GHCR rejects tags whose repository path contains uppercase characters (repository name must be lowercase). The image references were built directly from github.repository, which preserves the owner login case, so builds failed on forks whose owner has uppercase letters (e.g. Ritvik-Jayaswal). Normalize the owner/repo to lowercase for all ghcr.io image refs in the documentdb build, watch idempotency check, and promote workflows. The cosign certificate-identity-regexp keeps the original case to match the OIDC certificate subject. Co-authored-by: Copilot <copilot@github.com> Signed-off-by: Ritvik Jayaswal <rjayaswal@microsoft.com>
The extension install RUN uses 'set -eux' (set -u). Docker does not inject an ARG into the RUN environment when it has no value, so the APT path (which passes only DOCUMENTDB_APT_VERSION) failed with 'DOCUMENTDB_DEB_PACKAGE: parameter not set'. Use \ default expansion for both optional ARGs so an unset value is treated as empty. Co-authored-by: Copilot <copilot@github.com> Signed-off-by: Ritvik Jayaswal <rjayaswal@microsoft.com>
The built-in GITHUB_TOKEN cannot push changes under .github/workflows/** (GitHub blocks it without the 'workflow' scope, which that token cannot be granted), so create-pull-request failed with 'refusing to allow a GitHub App to create or update workflow ... without workflows permission'. Drop the sed edits that rewrote DEFAULT_DOCUMENTDB_VERSION and dispatch 'default:' values in build_documentdb_images.yml and release_documentdb_images.yml. Those are only manual-dispatch fallbacks; the watch workflow resolves the real version dynamically from upstream releases, so leaving them static is harmless and keeps the automation self-contained (no PAT/App token required). Update the PR body to match. Co-authored-by: Copilot <copilot@github.com> Signed-off-by: Ritvik Jayaswal <rjayaswal@microsoft.com>
Full workflow evidence: full
|
| Package | Release tag |
|---|---|
ghcr.io/ritvik-jayaswal/documentdb-kubernetes-operator/documentdb |
0.113.0 (+ 0.113.0-build-28470139299-1-5f7c17f, per-arch, .sig) |
ghcr.io/ritvik-jayaswal/documentdb-kubernetes-operator/gateway |
0.113.0 (+ 0.113.0-build-28470139299-1-5f7c17f, per-arch, .sig) |
4. Auto-opened version-bump PR
- PR:
chore: bump DocumentDB default images to 0.113.0(fork PR #2) - The bump PR only touches substantive version sources — no workflow files are edited:
operator/src/internal/utils/constants.gooperator/cnpg-plugins/sidecar-injector/internal/config/config.go+config_test.gooperator/documentdb-helm-chart/values.yaml.github/dockerfiles/Dockerfile_gateway_public_image
The workflow version fallbacks remain intentionally static (the real version is resolved dynamically at run time), so the bump PR no longer rewrites workflow defaults (otherwise the workflow would need more permissions).
Summary
Closes #360.
When a new version of DocumentDB is released upstream, the extension and gateway images should be built automatically, and the default version bumped in code and docs. This wires up that automation by reusing the existing build/release workflows and adding a scheduled watcher.
What changed
watch_documentdb_images.yml— polls the upstreamdocumentdb/documentdbreleases/lateston a cron (0 */6 * * *, plus manualworkflow_dispatchwithversionoverride anddry_run). When a release newer than the currentDEFAULT_DOCUMENTDB_IMAGEis found, it builds candidate images and opens a version-bump PR.build_documentdb_images.yml— added aworkflow_calltrigger exposingdocumentdb_versionandimage_tagoutputs; resolves the version from theinputscontext; cosign verify now uses an identity regexp so it passes when run as a reusable workflow.release_documentdb_images.yml— added aworkflow_calltrigger mirroring its inputs so the watcher can chain into it.docs/designs/image-management.mdand a workflow entry inAGENTS.md.Behavior
Scheduled poll → build candidate images → promote + open a
chore: bump DocumentDB imagesPR. Merging that PR is the human gate that makes the new version the default for new installs.Idempotent: once images are promoted, the
documentdb:<version>tag exists, so later cron ticks short-circuit until the bump PR merges (which advances the default and stops detection for that version). Drafts and pre-releases are excluded because detection uses GitHub'sreleases/latest.Notes
secrets: inherit). As with the existing manual release flow, the bump PR is created withGITHUB_TOKEN, so CI on that PR is re-triggered by a maintainer on review.repository_dispatch: documentdb-releasetrigger, so a real upstream webhook can still be wired later if a cross-repo PAT becomes available.Testing
watch_documentdb_images.ymlcan be exercised manually viaworkflow_dispatchwithdry_run: trueto confirm detection without building.