cnpg-postgres-containers/.github/workflows/update.yml

name: Automatic Updates

on:
  schedule:
    - cron: 0 0 * * 1
  workflow_dispatch:

defaults:
  run:
    shell: 'bash -Eeuo pipefail -x {0}'

permissions: read-all

jobs:
  build:
    name: Run update script
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          token: ${{ secrets.REPO_GHA_PAT }}

      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
        with:
          python-version: 3.9

      - name: Run update script
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
        with:
          timeout_minutes: 15
          max_attempts: 3
          command: |
            # pip-tools provides pip-compile used by update.sh
            # TODO: Pinning pip due to https://github.com/jazzband/pip-tools/issues/2176, remove when fixed
            pip3 install --upgrade pip-tools pip\<25.1
            export PATH=$HOME/.local/bin:$PATH
            echo "Updating Debian bullseye images"
            ./Debian/update.sh -d bullseye

      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
        with:
          python-version: 3.11

      - name: Run update script
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
        with:
          timeout_minutes: 15
          max_attempts: 3
          command: |
            # pip-tools provides pip-compile used by update.sh
            # TODO: Pinning pip due to https://github.com/jazzband/pip-tools/issues/2176, remove when fixed
            pip3 install --upgrade pip-tools pip\<25.1
            export PATH=$HOME/.local/bin:$PATH
            echo "Updating Debian bookworm images"
            ./Debian/update.sh -d bookworm

      - name: Diff
        run: |
          git status
          git diff

      - name: Temporarily disable "include administrators" branch protection
        if: ${{ always() && github.ref == 'refs/heads/main' }}
        id: disable_include_admins
        uses: benjefferies/branch-protection-bot@af281f37de86139d1c7a27b91176b5dc1c2c827c # v1.1.2
        with:
          access_token: ${{ secrets.REPO_GHA_PAT }}
          branch: main
          enforce_admins: false

      - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
        with:
          author_name: CloudNativePG Automated Updates
          author_email: noreply@cnpg.com
          message: 'Daily automatic update'

      - name: Enable "include administrators" branch protection
        uses: benjefferies/branch-protection-bot@af281f37de86139d1c7a27b91176b5dc1c2c827c # v1.1.2
        if: ${{ always() && github.ref == 'refs/heads/main' }}
        with:
          access_token: ${{ secrets.REPO_GHA_PAT }}
          branch: main
          enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}