fix(ci): Fix Update Ubutu Deps Workflow (#764)

* Fix update-deps workflow:

- fixes permission of update-ubuntu-deps workflow
- fix incorrect buildkit version bump for ubuntu-deps
- fix update-container-runtime fetching nerdctl rc tags

Signed-off-by: Swapnanil-Gupta <[email protected]>

* run update-deps workflow on PR

Signed-off-by: Swapnanil-Gupta <[email protected]>

---------

Signed-off-by: Swapnanil-Gupta <[email protected]>

Author: Swapnanil-Gupta

.github/workflows/update-dependencies.yaml

@@ -1,4 +1,5 @@
 name: Update dependencies
+
 on:
   schedule:
     - cron: '0 11 * * 2'
@@ -8,6 +9,15 @@ on:
         type: string
         description: The tag of nerdctl full archive to update
         required: false
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/update-dependencies.yaml
+      - .github/workflows/update-ubuntu-dependencies.yaml
+      - bin/update-lima-bundles.sh
+      - bin/update-container-runtime-full-archive.sh
+      - bin/update-debian-dependencies.sh
 
 permissions:
   contents: read
@@ -44,6 +54,7 @@ jobs:
         run: bash bin/update-rootfs.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }}
 
       - name: create PR
+        if: github.event_name != 'pull_request'
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           # A Personal Access Token instead of the default `GITHUB_TOKEN` is required
@@ -62,13 +73,6 @@ jobs:
       tag: ${{ steps.fetch-tag.outputs.tag }}
 
     steps:
-      - name: Checkout nerdctl
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          repository: containerd/nerdctl
-          fetch-depth: 0
-          fetch-tags: true
-
       - name: Fetch tag for latest release
         id: fetch-tag
         env:
@@ -78,7 +82,12 @@ jobs:
             echo "tag=$OVERRIDE_TAG" >> $GITHUB_OUTPUT
             echo "Override tag: $OVERRIDE_TAG"
           else
-            latest_tag="$(git tag --sort=-version:refname | head -n 1)"
+            latest_tag="$(\
+              curl -s "https://api.github.com/repos/containerd/nerdctl/releases/latest" | \
+              grep '"tag_name":' | \
+              head -1 | \
+              cut -d'"' -f4 \
+            )"
             echo "tag=$latest_tag" >> $GITHUB_OUTPUT
             echo "Latest tag is ${latest_tag}"
           fi
@@ -102,6 +111,7 @@ jobs:
         run: bash bin/update-container-runtime-full-archive.sh -t "${{ env.NERDCTL_TAG }}"
 
       - name: Create PR
+        if: github.event_name != 'pull_request'
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -119,4 +129,9 @@ jobs:
             and reopened manually to trigger automated checks.
 
   update-ubuntu-dependencies:
+    # Add permissions needed to create a PR
+    permissions:
+      contents: write
+      pull-requests: write
+    
     uses: ./.github/workflows/update-ubuntu-dependencies.yaml

.github/workflows/update-ubuntu-dependencies.yaml

@@ -2,11 +2,7 @@ name: update-ubuntu-dependencies
 
 on:
   workflow_call:
-
-# Add permissions needed to create a PR
-permissions:
-  contents: write
-  pull-requests: write
+  workflow_dispatch:
 
 jobs:
   update-dependencies-and-create-pr:
@@ -37,7 +33,7 @@ jobs:
           fi
 
       - name: Create or update PR
-        if: steps.changes.outputs.changed == 'true'
+        if: github.event_name != 'pull_request' && steps.changes.outputs.changed == 'true'
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

bin/update-debian-dependencies.sh

@@ -98,6 +98,14 @@ NERDCTL_LATEST=$(get_latest_tag "containerd/nerdctl")
 NERDCTL_COMMIT=$(get_commit_for_tag "containerd/nerdctl" "$NERDCTL_LATEST")
 update_dependency "NERDCTL" "$NERDCTL_LATEST" "$NERDCTL_COMMIT"
 
+# Get nerdctl dockerfile content
+echo "Getting nerdctl dockerfile content..."
+NERDCTL_DOCKERFILE=$(get_nerdctl_dockerfile "$NERDCTL_LATEST")
+
+# Get BuildKit version from nerdctl Dockerfile
+echo "Getting BuildKit version from nerdctl Dockerfile..."
+BUILDKIT_VERSION=$(get_buildkit_version "$NERDCTL_DOCKERFILE")
+
 # Update buildkit with version from nerdctl
 echo "Updating buildkit to version $BUILDKIT_VERSION..."
 BUILDKIT_COMMIT=$(get_commit_for_tag "moby/buildkit" "$BUILDKIT_VERSION")
@@ -109,24 +117,16 @@ SOCI_LATEST=$(get_latest_tag "awslabs/soci-snapshotter")
 SOCI_COMMIT=$(get_commit_for_tag "awslabs/soci-snapshotter" "$SOCI_LATEST")
 update_dependency "SOCI" "$SOCI_LATEST" "$SOCI_COMMIT"
 
-# Get nerdctl dockerfile content
-echo "Getting nerdctl dockerfile content..."
-NERDCTL_DOCKERFILE=$(get_nerdctl_dockerfile "$NERDCTL_LATEST")
-
-# Get BuildKit version from nerdctl Dockerfile
-echo "Getting BuildKit version from nerdctl Dockerfile..."
-BUILDKIT_VERSION=$(get_buildkit_version "$NERDCTL_DOCKERFILE")
-
-# Get Cosign version from nerdctl Dockerfile
-echo "Getting Cosign version from nerdctl Dockerfile..."
-COSIGN_VERSION=$(get_cosign_version "$NERDCTL_DOCKERFILE")
-
 # Update CNI plugins
 echo "Updating CNI plugins..."
 CNI_LATEST=$(get_cni_plugin_version "$NERDCTL_DOCKERFILE")
 CNI_COMMIT=$(get_commit_for_tag "containernetworking/plugins" "$CNI_LATEST")
 update_dependency "CNI" "$CNI_LATEST" "$CNI_COMMIT"
 
+# Get Cosign version from nerdctl Dockerfile
+echo "Getting Cosign version from nerdctl Dockerfile..."
+COSIGN_VERSION=$(get_cosign_version "$NERDCTL_DOCKERFILE")
+
 # Update cosign with version from nerdctl
 echo "Updating cosign to version $COSIGN_VERSION..."
 if [ -n "$COSIGN_VERSION" ]; then