In summary, Digestabot is a GitHub Action developed by Chainguard to keep your images always up-to-date, minimizing the risks of CVEs (Common Vulnerabilities and Exposures).
Using the 'tag+digest' pattern, the Action opens a Pull Request (PR) to update the image in use, and the user only needs to approve the merge with the most recent version(s), not only from Chainguard but also from any other registry used in the repository.
Consider the following configurations when utilizing Digestabot:
Your images must follow the
<repo>:<tag>@sha256:<digest>
pattern. For example,cgr.dev/chainguard/nginx:latest@sha256:81bed54c9e507503766c0f8f030f869705dae486f37c2a003bb5b12bcfcc713f
.You need to authorize GitHub Actions to create Pull Requests in the
Settings -> Actions
tab by selecting the option 'Allow GitHub Actions to create and approve pull requests.'
Now let's create the digestabot.yml
file in the .github/workflows
directory.
name: Image digest update
on:
workflow_dispatch:
schedule:
# Every day at 00:00 UTC
- cron: "0 0 * * *"
jobs:
image-update:
name: Image digest update
runs-on: ubuntu-latest
permissions:
contents: write # Write access to the repository
pull-requests: write # Permission to create pull requests
id-token: write # It's necessary to create the `JWT` token
steps:
- uses: actions/checkout@v4
- uses: chainguard-dev/digestabot@v1.0.2
with:
token: ${{ secrets.GITHUB_TOKEN }}
signoff: true # Add the email field to the commit
author: update-bot # Set the author of the commit
committer: update-bot@example.com # Set the committer email
labels-for-pr: automated pr, kind/cleanup, release-note-none # Set the labels for the PR
branch-for-pr: update-digests # Set the branch name for the PR
title-for-pr: Update images digests # Set the PR title
commit-message: Update images digests # Set the commit message
For more information about Digestabot, please access the Action's link on the Marketplace or the official repository on GitHub.
Top comments (0)