introduce an automation for GHA runner version update (#3034)

[static]

Signed-off-by: Mateusz Błażejewski <mateusz.blazejewski@digitalasset.com>

Author: mblaze-da

.github/workflows/bump_gha_runner_version.yml

@@ -0,0 +1,33 @@
+name: Bump GHA runner version (WIP)
+on:
+  # schedule:
+  #   - cron: '30 6 1,15 * *'  # Monthly on the 1st and 15th at 06:30
+  workflow_dispatch:
+
+jobs:
+  bump_gha_runner_version:
+    runs-on: ubuntu-24.04
+    name: Bump GHA runner version
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Check for the latest version and create a PR to splice
+        uses: ./.github/actions/nix/run_bash_command_in_nix
+        with:
+          cmd: |
+            git config user.email "splice-maintainers@digitalasset.com"
+            git config user.name "DA Automation"
+            ./scripts/bump_gha_runner_version.sh
+          additional_nix_args: "--keep GH_TOKEN"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Report Failures on Slack & Github
+        if: failure() && (github.event_name == 'push' || github.event_name == 'schedule')
+        uses: ./.github/actions/tests/failure_notifications
+        with:
+          workload_identity_provider: '${{ secrets.GOOGLE_WORKLOAD_IDENTITY_PROVIDER }}'
+          service_account: '${{ secrets.FAILURE_NOTIFICATIONS_INVOKER_SA }}'
+          notifications_url: '${{ secrets.FAILURE_NOTIFICATIONS_INVOKER_URL }}'
+          slack_channel: '${{ secrets.FAILURE_NOTIFICATIONS_SLACK_CHANNEL }}'

cluster/images/splice-test-docker-runner/Dockerfile

@@ -1,7 +1,10 @@
+ARG RUNNER_VERSION=2.330.0
+ARG RUNNER_DIGEST=sha256:ee54ad8776606f29434f159196529b7b9c83c0cb9195c1ff5a7817e7e570dcfe
+
 # Note that we don't currently support arm64 runners, so we build this only for amd64
-FROM --platform=$BUILDPLATFORM ghcr.io/actions/actions-runner:2.330.0@sha256:ee54ad8776606f29434f159196529b7b9c83c0cb9195c1ff5a7817e7e570dcfe
+FROM --platform=$BUILDPLATFORM ghcr.io/actions/actions-runner:${RUNNER_VERSION}@${RUNNER_DIGEST}
 
-LABEL org.opencontainers.image.base.name="ghcr.io/actions/actions-runner:2.330.0"
+LABEL org.opencontainers.image.base.name="ghcr.io/actions/actions-runner:${RUNNER_VERSION}"
 #Ideally, we'd reduce duplication between this and splice-test-ci, but we're not tackling that right now
 
 RUN sudo apt-get update && \

cluster/images/splice-test-runner-hook/Dockerfile

@@ -1,7 +1,10 @@
+ARG RUNNER_VERSION=2.330.0
+ARG RUNNER_DIGEST=sha256:ee54ad8776606f29434f159196529b7b9c83c0cb9195c1ff5a7817e7e570dcfe
+
 # Note that we don't currently support arm64 runners, so we build this only for amd64
-FROM --platform=$BUILDPLATFORM ghcr.io/actions/actions-runner:2.330.0@sha256:ee54ad8776606f29434f159196529b7b9c83c0cb9195c1ff5a7817e7e570dcfe
+FROM --platform=$BUILDPLATFORM ghcr.io/actions/actions-runner:${RUNNER_VERSION}@${RUNNER_DIGEST}
 
-LABEL org.opencontainers.image.base.name="ghcr.io/actions/actions-runner:2.230.0"
+LABEL org.opencontainers.image.base.name="ghcr.io/actions/actions-runner:${RUNNER_VERSION}"
 
 COPY target/index.js /home/runner/k8s/index.js
 COPY target/LICENSE .

cluster/pulumi/gha/src/runners.ts

@@ -186,7 +186,7 @@ function installDockerRunnerScaleSet(
             containers: [
               {
                 name: 'runner',
-                image: `${DOCKER_REPO}/splice-test-docker-runner:${ghaConfig.runnerHookVersion}`,
+                image: `${DOCKER_REPO}/splice-test-docker-runner:${ghaConfig.runnerVersion}`,
                 command: ['/home/runner/run.sh'],
                 env: [
                   {

scripts/bump-gha-runner-version.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+set -euo pipefail
+
+runner_version=$(
+  gh release view \
+    --repo actions/runner \
+    --json tagName \
+  | jq -r '.tagName' \
+  | sed 's/^v//' # remove the 'v' prefix
+)
+
+# gets the multiplatform image digest
+runner_digest=$(
+  docker buildx imagetools inspect "ghcr.io/actions/actions-runner:${runner_version}" \
+  | yq '.Digest'
+)
+
+docker_runner_file="${SPLICE_ROOT}/cluster/images/splice-test-docker-runner/Dockerfile"
+runner_hook_file="${SPLICE_ROOT}/cluster/images/splice-test-runner-hook/Dockerfile"
+
+sed \
+  --in-place \
+  --expression "s/^\(ARG RUNNER_VERSION=\).*/\1${runner_version}/" \
+  --expression "s/^\(ARG RUNNER_DIGEST=\).*/\1${runner_digest}/"  \
+  "${docker_runner_file}" \
+  "${runner_hook_file}"
+
+if git diff --exit-code --quiet "${docker_runner_file}" "${runner_hook_file}"; then
+  echo "GHA runner version is up to date."
+  exit 0
+fi
+
+make --directory "${SPLICE_ROOT}" --jobs \
+  cluster/images/splice-test-docker-runner/docker-build \
+  cluster/images/splice-test-runner-hook/docker-build
+
+git add --all
+updated_branch="gha-runner-version-bump-$(date +%Y-%m-%d)"
+git switch -c "${updated_branch}"
+git commit -m "[static] bump GHA runner version to the latest (auto-generated)" -s
+git push origin "${updated_branch}"
+
+gh pr create \
+  --base "main" \
+  --head "$updated_branch" \
+  --title "Bump GHA runner version to the latest (auto-generated)" \
+  --body "" \
+  --reviewer isegall-da,martinflorian-da,ray-roestenburg-da,mblaze-da