From 046a498c1bc42d34fa99829cc9d46f07aae6649e Mon Sep 17 00:00:00 2001
From: james Hart <james.hart@digital.justice.gov.uk>
Date: Mon, 9 Dec 2024 10:46:14 +0000
Subject: [PATCH] HEAT-447 - slack notification when Renovate identifies new
 runner version (#6)

* redeploy runners to 2.320.0 to see if Renovate picks it up

* add automated slack message
---
 .../runner-slack-notification/action.yml      | 45 +++++++++++++++++++
 .github/workflows/new_renovate_pr.yml         | 26 +++++++++++
 Dockerfile                                    | 12 +++--
 renovate.json                                 | 18 ++++++++
 4 files changed, 98 insertions(+), 3 deletions(-)
 create mode 100644 .github/actions/runner-slack-notification/action.yml
 create mode 100644 .github/workflows/new_renovate_pr.yml
 create mode 100644 renovate.json

diff --git a/.github/actions/runner-slack-notification/action.yml b/.github/actions/runner-slack-notification/action.yml
new file mode 100644
index 0000000..5fde311
--- /dev/null
+++ b/.github/actions/runner-slack-notification/action.yml
@@ -0,0 +1,45 @@
+name: Run the slack notification for various things
+description: This sends a slack notification
+
+inputs:
+  slack_channel:
+    description: 'The channel to send the slack message to'
+    required: true
+  slack_bot_token:
+    description: 'The slack bot token'
+    required: true
+  pull_request_number:
+    description: The number of the pull request
+    required: true
+runs:
+  using: composite
+  steps:
+  - name: Slack - Send a message
+    id: slack-message
+    uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+    with:
+      method: chat.postMessage
+      token: ${{ inputs.slack_bot_token }}
+      payload: |
+        "channel": "${{ inputs.slack_channel }}",
+        "text": "*GITHUB ACTIONS RUNNER*: upgrade PR has been created for *${{ github.event.repository.name }}*",
+          "blocks": [
+            {
+              "type": "section",
+              "fields": [
+                {
+                    "type": "mrkdwn",
+                    "text": "*Github Actions Runner PR - new runner available*"
+                }
+              ]
+            },
+            {
+              "type": "section",
+              "fields": [
+                {
+                  "type": "mrkdwn",
+                  "text": "*Pull Request:*\n<${{ github.server_url }}/${{ github.repository }}/pull/${{ inputs.pull_request_number }}/files|${{ github.event.repository.name }}/pull/${{ inputs.pull_request_number }}>"
+                }
+              ]
+            }
+          ]
diff --git a/.github/workflows/new_renovate_pr.yml b/.github/workflows/new_renovate_pr.yml
new file mode 100644
index 0000000..ece9af8
--- /dev/null
+++ b/.github/workflows/new_renovate_pr.yml
@@ -0,0 +1,26 @@
+name: New PR created - Slack message if it's a renovate Dockerfile PR
+
+on:
+  pull_request:
+    types: [opened, reopened]
+
+jobs:
+  renovate_pr:
+    runs-on: [ ubuntu-latest ]
+    permissions:
+      contents: write
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v2
+    - name: Get PR details
+      id: get_pr_details
+      run: |
+        echo "::set-output name=title::$(jq -r .pull_request.title < $GITHUB_EVENT_PATH)"
+        echo "::set-output name=number::$(jq -r .pull_request.number < $GITHUB_EVENT_PATH)"
+    - name: Run action if PR title contains 'actions/runner'
+      if: contains(steps.get_pr_details.outputs.title, 'actions/runner')
+      uses: ./.github/actions/runner-slack-notification
+      with:
+        slack_channel: ${{ vars.NOTIFICATIONS_SLACK_CHANNEL }}
+        slack_bot_token: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }}
+        pull_request_number:  ${{ steps.get_pr_details.outputs.number }}
diff --git a/Dockerfile b/Dockerfile
index a0b47a0..c16b5bf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,9 +12,10 @@ ENV CONTAINER_USER="runner" \
     CONTAINER_GROUP="runner" \
     CONTAINER_GID="10000" \
     CONTAINER_HOME="/actions-runner" \
-    DEBIAN_FRONTEND="noninteractive" \
-    ACTIONS_RUNNER_VERSION="2.321.0" \
-    ACTIONS_RUNNER_PKG_SHA="ba46ba7ce3a4d7236b16fbe44419fb453bc08f866b24f04d549ec89f1722a29e"
+    DEBIAN_FRONTEND="noninteractive"
+
+# Checked by renovate
+ENV ACTIONS_RUNNER_VERSION="2.320.0" 
 
 SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
 
@@ -56,6 +57,11 @@ rm -rf /var/lib/apt/lists/*
 curl --location "https://github.com/actions/runner/releases/download/v${ACTIONS_RUNNER_VERSION}/actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz" \
   --output "actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz"
 
+# Validate the checksum
+ACTIONS_RUNNER_PKG_SHA=$(curl -s --location "https://github.com/actions/runner/releases/tag/v${ACTIONS_RUNNER_VERSION}" | grep -A10 "SHA-256 Checksums" | grep actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION} | awk -F'[<> ]' '{print $4}')
+echo "Release ACTIONS_RUNNER_PKG_SHA   : ${ACTIONS_RUNNER_PKG_SHA}"
+echo "Downloaded ACTIONS_RUNNER_PKG_SHA: $(sha256sum -b actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz) | cut -d\  -f1"
+
 echo "${ACTIONS_RUNNER_PKG_SHA}"  "actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz" | /usr/bin/sha256sum --check
 
 tar --extract --gzip --file="actions-runner-linux-x64-${ACTIONS_RUNNER_VERSION}.tar.gz" --directory="${CONTAINER_HOME}"
diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..e5a645b
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,18 @@
+{
+  "extends": [
+    "config:base"
+  ],
+  "labels": ["dependencies", "github-actions"],
+  "regexManagers": [
+    {
+      "fileMatch": ["Dockerfile"],
+      "matchStrings": [
+        "ENV ACTIONS_RUNNER_VERSION=(?<currentValue>\\d+\\.\\d+\\.\\d+)"
+      ],
+      "datasourceTemplate": "github-releases",
+      "packageNameTemplate": "actions/runner",
+      "versioningTemplate": "semver",
+      "extractVersionTemplate": "^v(?<version>\\d+\\.\\d+\\.\\d+)$"
+    }
+  ]
+}
\ No newline at end of file