Add workflow to automatically update distribution snapshots

Add a GitHub Actions workflow that runs every three days to pin each
distribution to its latest snapshot. To make this work, we extend the
latest-snapshot verb with the option to write the snapshot to a config
file provided by the user. We do this to avoid having to start tracking
which config file provided a setting. Even if we had that, we still would
need the explicit config file to bootstrap the initial write so we might
as well insist on the user providing it. The workflow runs mkosi
latest-snapshot for each distribution (arch, centos, debian, fedora,
opensuse, ubuntu) which fetches the latest snapshot, updates the
corresponding mkosi config file with the new Snapshot= setting, and commits
the result.

The workflow then creates a pull request for the update using
github-script. Each distribution gets its own dedicated branch
(update-snapshot/<distro>) so that only a single pull request is open
per distribution at a time. If an existing pull request is already
open, it is updated in place by force-pushing to the branch.

Auto-merge is enabled on each pull request via the GraphQL
enablePullRequestAutoMerge mutation so that the snapshot update lands
automatically once CI is green.

Author: daandemeyer

.github/actions/mkosi-update-snapshot/action.yml

@@ -0,0 +1,198 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+name: mkosi-update-snapshot
+description: Update distribution snapshot and create a pull request
+
+inputs:
+  token:
+    description: GitHub token for authentication
+    required: true
+  distribution:
+    description: Distribution to update the snapshot for
+    required: false
+    default: ""
+  config:
+    description: Path to the config file to update
+    required: true
+  release:
+    description: Distribution release to update the snapshot for
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      with:
+        token: ${{ inputs.token }}
+
+    - uses: ./
+
+    - name: Free disk space
+      shell: bash
+      run: |
+        sudo mv /usr/local /usr/local.trash
+        sudo mv /opt/hostedtoolcache /opt/hostedtoolcache.trash
+        sudo systemd-run rm -rf /usr/local.trash /opt/hostedtoolcache.trash
+
+    - name: Configure git
+      shell: bash
+      run: |
+        git config user.name "github-actions[bot]"
+        git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+    - name: Update snapshot
+      id: update
+      shell: bash
+      env:
+        DISTRIBUTION: ${{ inputs.distribution }}
+        RELEASE: ${{ inputs.release }}
+      run: |
+        branch="update-snapshot/${DISTRIBUTION:-default}"
+        git checkout -B "$branch"
+
+        mkosi ${DISTRIBUTION:+-d "$DISTRIBUTION"} ${RELEASE:+-r "$RELEASE"} latest-snapshot -- --update ${{ inputs.config }} --commit
+
+        if git diff --quiet HEAD~1 HEAD 2>/dev/null; then
+          echo "updated=false" >>"$GITHUB_OUTPUT"
+        else
+          echo "updated=true" >>"$GITHUB_OUTPUT"
+          echo "branch=$branch" >>"$GITHUB_OUTPUT"
+          echo "title=$(git log -1 --format=%s)" >>"$GITHUB_OUTPUT"
+        fi
+
+    - name: Build image and generate manifest diff
+      if: steps.update.outputs.updated == 'true'
+      shell: bash
+      env:
+        DISTRIBUTION: ${{ inputs.distribution }}
+        RELEASE: ${{ inputs.release }}
+      run: |
+        tee mkosi.local.conf <<EOF
+        [Distribution]
+        ${DISTRIBUTION:+Distribution=$DISTRIBUTION}
+        ${RELEASE:+Release=$RELEASE}
+
+        [Output]
+        Format=directory
+        ManifestFormat=json
+        EOF
+
+        # Build the image to generate a manifest. If the build fails, we still want to
+        # create the PR with just the snapshot update but include the build output so
+        # that it's easy to see what went wrong.
+        if ! mkosi -f 2>&1 | tee /tmp/mkosi-build.log; then
+          echo "::warning::Image build failed, skipping manifest diff"
+          cat >/tmp/pr-body.md <<BODY
+        :x: **Image build failed**
+
+        <details>
+        <summary>Build log</summary>
+
+        \`\`\`
+        $(cat /tmp/mkosi-build.log)
+        \`\`\`
+
+        </details>
+        BODY
+          mkosi -f clean
+          git push -f origin "${{ steps.update.outputs.branch }}"
+          exit 0
+        fi
+
+        manifest="mkosi.output/image.manifest"
+
+        if [[ -e mkosi/mkosi.conf ]] || [[ -e mkosi/mkosi.tools.conf ]]; then
+          manifests_dir="mkosi/manifests"
+        else
+          manifests_dir="manifests"
+        fi
+
+        old_manifest="$manifests_dir/${DISTRIBUTION:-default}.manifest.json"
+
+        if [[ -f "$old_manifest" && -f "$manifest" ]]; then
+          python3 tools/mkosi-manifest-diff.py "$old_manifest" "$manifest" >/tmp/pr-body.md
+        elif [[ -f "$manifest" ]]; then
+          echo "First manifest for this distribution, no previous manifest to diff against." >/tmp/pr-body.md
+        fi
+
+        if [[ -f "$manifest" ]]; then
+          mkdir -p "$manifests_dir"
+          cp "$manifest" "$old_manifest"
+          git add "$old_manifest"
+          git commit --amend --no-edit
+        fi
+
+        mkosi -f clean
+        rm mkosi.local.conf
+        git push -f origin "${{ steps.update.outputs.branch }}"
+
+    - name: Create or update pull request
+      if: steps.update.outputs.updated == 'true'
+      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+      with:
+        github-token: ${{ inputs.token }}
+        script: |
+          const fs = require('fs');
+          const branch = '${{ steps.update.outputs.branch }}';
+          const title = '${{ steps.update.outputs.title }}';
+
+          let body = '';
+          try {
+            body = fs.readFileSync('/tmp/pr-body.md', 'utf8').trim();
+          } catch (e) {
+            console.log('No PR body file found, continuing without body');
+          }
+
+          const { data: pulls } = await github.rest.pulls.list({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            state: 'open',
+            head: `${context.repo.owner}:${branch}`,
+          });
+
+          let number;
+
+          if (pulls.length > 0) {
+            const pull = pulls[0];
+            await github.rest.pulls.update({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: pull.number,
+              title: title,
+              body: body,
+            });
+            console.log(`Updated existing pull request #${pull.number}`);
+            number = pull.number;
+          } else {
+            const { data: pr } = await github.rest.pulls.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: title,
+              head: branch,
+              base: 'main',
+              body: body,
+            });
+            console.log(`Created pull request #${pr.number}`);
+            number = pr.number;
+          }
+
+          // Enable auto-merge so the PR merges automatically once CI is green.
+          try {
+            const { data: pullData } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: number,
+            });
+
+            await github.graphql(`
+              mutation($pullRequestId: ID!) {
+                enablePullRequestAutoMerge(input: { pullRequestId: $pullRequestId, mergeMethod: MERGE }) {
+                  clientMutationId
+                }
+              }
+            `, { pullRequestId: pullData.node_id });
+
+            console.log(`Enabled auto-merge for pull request #${number}`);
+          } catch (e) {
+            console.log(`Could not enable auto-merge for pull request #${number}: ${e.message}`);
+          }

.github/workflows/update-snapshot.yml

@@ -0,0 +1,46 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+name: update-snapshot
+
+on:
+  schedule:
+    # Update snapshots every three days at midnight
+    - cron: "0 0 */3 * *"
+  workflow_dispatch:
+
+jobs:
+  update-snapshot:
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - distro: arch
+            config: mkosi.conf.d/arch.conf
+          - distro: centos
+            config: mkosi.conf.d/centos.conf
+          - distro: debian
+            config: mkosi.conf.d/debian.conf
+          - distro: fedora
+            config: mkosi.conf.d/fedora/mkosi.conf
+          - distro: opensuse
+            config: mkosi.conf.d/opensuse/mkosi.conf
+          # Ubuntu does not have snapshots for the "devel" release
+          # - distro: ubuntu
+          #   config: mkosi.conf.d/ubuntu.conf
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
+
+      - uses: actions/create-github-app-token@v2
+        id: token
+        with:
+          app-id: ${{ vars.TRIGGER_CHECKS_ON_WORKFLOW_APP_ID }}
+          private-key: ${{ secrets.TRIGGER_CHECKS_ON_WORKFLOW_PRIVATE_KEY }}
+
+      - uses: ./.github/actions/mkosi-update-snapshot
+        with:
+          token: ${{ steps.token.outputs.token }}
+          distribution: ${{ matrix.distro }}
+          config: ${{ matrix.config }}

mkosi/__init__.py

@@ -139,6 +139,7 @@
     unshare,
     userns_has_single_user,
 )
+from mkosi.snapshot import run_latest_snapshot
 from mkosi.sysupdate import run_sysupdate
 from mkosi.tree import copy_tree, is_foreign_uid_tree, make_tree, move_tree, rmtree
 from mkosi.user import INVOKING_USER, become_root_cmd
@@ -4271,10 +4272,6 @@ def run_box(args: Args, config: Config) -> None:
         )
 
 
-def run_latest_snapshot(args: Args, config: Config) -> None:
-    print(config.distribution.installer.latest_snapshot(config))
-
-
 def run_shell(args: Args, config: Config) -> None:
     opname = "acquire shell in" if args.verb == Verb.shell else "boot"
     if config.output_format not in (OutputFormat.directory, OutputFormat.disk):

mkosi/config.py

@@ -111,6 +111,7 @@ def supports_cmdline(self) -> bool:
             Verb.box,
             Verb.sandbox,
             Verb.dependencies,
+            Verb.latest_snapshot,
         )
 
     def needs_tools(self) -> bool:

mkosi/snapshot.py

@@ -0,0 +1,89 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+import argparse
+from pathlib import Path
+
+from mkosi.config import Args, Config
+from mkosi.run import run
+
+
+def update_snapshot(path: Path, snapshot: str) -> bool:
+    lines = path.read_text().splitlines()
+
+    # Check if there's already a Snapshot= line we can replace.
+    found = False
+    new = []
+    for line in lines:
+        if line.startswith("Snapshot="):
+            if line == f"Snapshot={snapshot}":
+                # Already up to date.
+                return False
+            new.append(f"Snapshot={snapshot}")
+            found = True
+        else:
+            new.append(line)
+
+    if not found:
+        # Add Snapshot= after the last key in the [Distribution] section.
+        result: list[str] = []
+        added = False
+        in_distribution = False
+        for i, line in enumerate(new):
+            result.append(line)
+            if line.strip() == "[Distribution]":
+                in_distribution = True
+                continue
+            if in_distribution:
+                # Check if the next line starts a new section or if we're at the last line of the section.
+                next_is_end = (i + 1 >= len(new)) or new[i + 1].startswith("[")
+                is_blank = line.strip() == ""
+                if next_is_end and not is_blank:
+                    result.append(f"Snapshot={snapshot}")
+                    added = True
+                    in_distribution = False
+                elif next_is_end and is_blank:
+                    # Insert before the blank line.
+                    result.pop()
+                    result.append(f"Snapshot={snapshot}")
+                    result.append(line)
+                    added = True
+                    in_distribution = False
+
+        if not added:
+            # No [Distribution] section exists; add one.
+            result = new + ["", "[Distribution]", f"Snapshot={snapshot}"]
+
+        new = result
+
+    path.write_text("\n".join(new) + "\n")
+    return True
+
+
+def run_latest_snapshot(args: Args, config: Config) -> None:
+    p = argparse.ArgumentParser(
+        prog="mkosi latest-snapshot",
+        description="Fetch the latest snapshot for a distribution and optionally update a config file.",
+    )
+    p.add_argument("--update", metavar="PATH", type=Path, help="path to the config file to update")
+    p.add_argument("--commit", "-c", action="store_true", default=False, help="commit the change with git")
+    latestargs = p.parse_args(args.cmdline)
+
+    snapshot = config.distribution.installer.latest_snapshot(config)
+
+    if not latestargs.update:
+        print(snapshot)
+        return
+
+    print(f"Latest snapshot for {config.distribution}: {snapshot}")
+
+    if not update_snapshot(latestargs.update, snapshot):
+        print("Snapshot already up to date, nothing to do.")
+        return
+
+    print(f"Updated {latestargs.update} with Snapshot={snapshot}")
+
+    if latestargs.commit:
+        msg = f"mkosi: Update {config.distribution} {config.release} snapshot to {snapshot}"
+
+        run(["git", "add", str(latestargs.update)])
+        run(["git", "commit", "-m", msg])