Add handling of tags in docker-helper #12943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

alexrashed merged 6 commits into main from fix-docker-image-tag-push

Aug 14, 2025

Member

silv-io commented Jul 31, 2025 •

edited

Loading

Motivation

With the latest release we still had issues with pushing docker images on pipeline runs triggered by the tag push.

This is because the docker helper assumes that only the main branch should be allowed for pushing the images. Since tags are not bound to a branch, a tag-triggered run will not have a branch ref.

We need to add extra provisions for allowing tagged commits to also push images.

/cc @dfangl (and thanks for providing the patch files)

Changes

Allow tagged commits to also successfully push images
Add bats test to assure this is possible

Testing

To avoid further issues we'll do a run in a forked repository where we push into a different DockerHub account.

TODO

What's left to do:

Thorough testing:
- Test that regular pushes to main will still work: https://github.com/silv-io/localstack/actions/runs/16909810881
- Test that tag pushes to main will start working: https://github.com/silv-io/localstack/actions/runs/16909892613 -> see here
...


          Add handling of tags in docker-helper

f39c8f0

Co-authored-by: Daniel Fangl <daniel.fangl@localstack.cloud>

github-actions bot commented Jul 31, 2025 •

edited

Loading

Helper Script Tests

30 tests 30 ✅ 0s ⏱️
2 suites 0 💤
1 files 0 ❌

Results for commit 9badae1.

♻️ This comment has been updated with latest results.

silv-io added the semver: patch label

github-actions bot commented Jul 31, 2025 •

edited

Loading

Test Results - Preflight, Unit

22 106 tests +126 20 371 ✅ +125 6m 25s ⏱️ -29s
1 suites ± 0 1 735 💤 + 1
1 files ± 0 0 ❌ ± 0

Results for commit 9badae1. ± Comparison against base commit f459293.

♻️ This comment has been updated with latest results.

github-actions bot commented Jul 31, 2025 •

edited

Loading

Test Results (amd64) - Acceptance

7 tests ±0 5 ✅ ±0 3m 17s ⏱️ -4s
1 suites ±0 2 💤 ±0
1 files ±0 0 ❌ ±0

Results for commit 9badae1. ± Comparison against base commit f459293.

♻️ This comment has been updated with latest results.


          Fix bats tests and add a new one

3555f92

Co-authored-by: Daniel Fangl <daniel.fangl@localstack.cloud>

silv-io requested a review from alexrashed

July 31, 2025 15:44

github-actions bot commented Jul 31, 2025 •

edited

Loading

Test Results (amd64) - Integration, Bootstrap

5 files 5 suites 2h 20m 4s ⏱️
4 987 tests 4 395 ✅ 592 💤 0 ❌
4 993 runs 4 395 ✅ 598 💤 0 ❌

Results for commit 9badae1.

♻️ This comment has been updated with latest results.

github-actions bot commented Jul 31, 2025 •

edited

Loading

LocalStack Community integration with Pro

2 files 2 suites 1h 44m 29s ⏱️
4 628 tests 4 188 ✅ 440 💤 0 ❌
4 630 runs 4 188 ✅ 442 💤 0 ❌

Results for commit 9badae1.

♻️ This comment has been updated with latest results.

silv-io marked this pull request as ready for review

August 12, 2025 17:52

silv-io added the review: merge when ready label

alexrashed reviewed

View reviewed changes

Member

alexrashed left a comment

Thanks for following up on this! 💯
Since this is quite a critical change this needs to be bullet proof, so I do have a few questions and some suggestions which I would love to discuss before we merge this.

tests/bin/test.docker-helper.bats Show resolved Hide resolved

tests/bin/test.docker-helper.bats Show resolved Hide resolved

tests/bin/test.docker-helper.bats Show resolved Hide resolved

tests/bin/test.docker-helper.bats Outdated

+                export PLATFORM=amd64
+                export TEST_TAG=v1.0.0
+                run bin/docker-helper.sh push
+                echo "$output"

Member

alexrashed Aug 13, 2025

suggestion: Seems like a leftover from testing?

Member Author

silv-io Aug 13, 2025

true, will remove it.

tests/bin/test.docker-helper.bats Outdated Show resolved Hide resolved

bin/docker-helper.sh

@@ @@ -65,15 +65,21 @@ function _get_current_branch() { @@
                   git branch --show-current
               }
+              function _get_current_tag() {
+                  git describe --tags --exact-match 2> /dev/null || true

Member

alexrashed Aug 13, 2025

question: Would it make sense to check that this really is a release tag? Is there a scenario where this can slip through and enable the push for something we do not want?

Member

dfangl Aug 13, 2025

I think this also leaves a bigger question: Should we allow any tags which are not release tags in the repository at all? This would be a case for the repository protection rules, then.

Member

alexrashed Aug 13, 2025

That's a good point! But since a few weeks we have branch protection rules in place in the main emulator repos. Only the release action / bot is allowed to create any tags.
Are you suggesting to make the rule even stricter such that the release action is only allowed to push version compliant tag names?

Member

dfangl Aug 13, 2025 •

edited

Loading

It would make sense in my opinion, even though it is unlikely that the release action starts to push random tags. I think a ruleset:

Allowing v\d+\.\d+\.\d+ (not sure of the regex flavor for github, please don't quote me on it) tags only for the release action / bot
Disallowing all other tag pushes
Would make sense. We could also add another check in the docker helper, to feel more safe, but I don't think it is necessary.

Member Author

silv-io Aug 13, 2025

I just want to add here that the pipeline which will use the docker-helper to push the images (aws-main.yml) can only be triggered by tags of this shape:

    tags:
      - 'v[0-9]+.[0-9]+.[0-9]+'

Member Author

silv-io Aug 13, 2025

I've also added functionality to the docker helper now to refuse using tags without this shape and a test for it

Member

alexrashed Aug 13, 2025

thought: That's awesome, thanks! Great improvement and cleanup! One follow up question: What happens if the commit is tagged twice?

Member Author

silv-io Aug 14, 2025

I'd assume the workflow would be triggered once for each tag. I can explore that

Member

alexrashed Aug 14, 2025

Thanks! Would also be very interesting how this function behaves for the two tags. :)

silv-io and others added 4 commits

August 13, 2025 11:29


          Apply suggestion from @alexrashed

32c27ee

Co-authored-by: Alex Rashed <2796604+alexrashed@users.noreply.github.com>


          Remove debug output

e99f5d9


          Add check for correct tags being pushed by docker based on TEST_TAG

096f03d


          Add handling of malformed tags

9badae1

silv-io requested a review from alexrashed

August 13, 2025 14:04

alexrashed approved these changes

View reviewed changes

Member

alexrashed left a comment

Awesome! This is now really looking great and is nicely tested in the bats tests! 🧹

It would be great if you could really verify that the changes we made here during the review iterations are working in your fork setup as well, just in case! 💚

bin/docker-helper.sh

@@ @@ -65,15 +65,21 @@ function _get_current_branch() { @@
                   git branch --show-current
               }
+              function _get_current_tag() {
+                  git describe --tags --exact-match 2> /dev/null || true

Member

alexrashed Aug 13, 2025

thought: That's awesome, thanks! Great improvement and cleanup! One follow up question: What happens if the commit is tagged twice?

alexrashed merged commit 6130f75 into main

42 checks passed

alexrashed deleted the fix-docker-image-tag-push branch

August 14, 2025 07:23

alexrashed mentioned this pull request

introduce get-release-version in docker helper #13006

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

review: merge when ready semver: patch