Add workflow and script to automatically update distribution snapshots

daandemeyer · daandemeyer · commit baf812c80922 · 2026-03-07T12:28:55.000+01:00
Add a GitHub Actions workflow that runs every three days to pin each
distribution to its latest snapshot. The workflow runs
tools/update-snapshot.py for each distribution (arch, centos, debian,
fedora, opensuse, ubuntu) which fetches the latest snapshot via
"mkosi latest-snapshot", updates the corresponding mkosi config file
with the new Snapshot= setting, and commits the result.

The workflow then creates a pull request for the update using
github-script. Each distribution gets its own dedicated branch
(update-snapshot/&lt;distro&gt;) so that only a single pull request is open
per distribution at a time. If an existing pull request is already
open, it is updated in place by force-pushing to the branch.

Auto-merge is enabled on each pull request via the GraphQL
enablePullRequestAutoMerge mutation so that the snapshot update lands
automatically once CI is green.
diff --git a/.github/workflows/update-snapshot.yml b/.github/workflows/update-snapshot.yml
@@ -0,0 +1,114 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+name: update-snapshot
+
+permissions:
+  contents: write
+  pull-requests: write
+
+on:
+  schedule:
+    # Update snapshots every three days at midnight
+    - cron: "0 0 */3 * *"
+  workflow_dispatch:
+
+jobs:
+  update-snapshot:
+    runs-on: ubuntu-24.04
+    if: github.repository == 'daandemeyer/mkosi'
+    strategy:
+      fail-fast: false
+      matrix:
+        distro:
+          - arch
+          - centos
+          - debian
+          - fedora
+          - opensuse
+          - ubuntu
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - uses: systemd/mkosi@main
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Update snapshot
+        id: update
+        run: |
+          branch="update-snapshot/${{ matrix.distro }}"
+          git checkout -B "$branch"
+
+          tools/update-snapshot.py -d ${{ matrix.distro }} -c
+
+          if git diff --quiet HEAD~1 HEAD 2>/dev/null; then
+            echo "updated=false" >>"$GITHUB_OUTPUT"
+          else
+            git push -f origin "$branch"
+            echo "updated=true" >>"$GITHUB_OUTPUT"
+            echo "branch=$branch" >>"$GITHUB_OUTPUT"
+            echo "title=$(git log -1 --format=%s)" >>"$GITHUB_OUTPUT"
+          fi
+
+      - name: Create or update pull request
+        if: steps.update.outputs.updated == 'true'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
+        with:
+          script: |
+            const branch = '${{ steps.update.outputs.branch }}';
+            const title = '${{ steps.update.outputs.title }}';
+            const distro = '${{ matrix.distro }}';
+            const body = `Automated snapshot update for ${distro}.`;
+
+            const { data: pulls } = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              head: `${context.repo.owner}:${branch}`,
+            });
+
+            let number;
+
+            if (pulls.length > 0) {
+              const pull = pulls[0];
+              await github.rest.pulls.update({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: pull.number,
+                title: title,
+                body: body,
+              });
+              console.log(`Updated existing pull request #${pull.number}`);
+              number = pull.number;
+            } else {
+              const { data: pr } = await github.rest.pulls.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: title,
+                body: body,
+                head: branch,
+                base: 'main',
+              });
+              console.log(`Created pull request #${pr.number}`);
+              number = pr.number;
+            }
+
+            // Enable auto-merge so the PR merges automatically once CI is green.
+            const { data: pullData } = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: number,
+            });
+
+            await github.graphql(`
+              mutation($pullRequestId: ID!) {
+                enablePullRequestAutoMerge(input: { pullRequestId: $pullRequestId, mergeMethod: MERGE }) {
+                  clientMutationId
+                }
+              }
+            `, { pullRequestId: pullData.node_id });
+
+            console.log(`Enabled auto-merge for pull request #${number}`);
diff --git a/tools/update-snapshot.py b/tools/update-snapshot.py
@@ -0,0 +1,138 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+"""Fetch the latest snapshot for a distribution and update the mkosi config."""
+
+import argparse
+import configparser
+import shlex
+import subprocess
+import sys
+
+from pathlib import Path
+
+
+def parse_args() -> argparse.Namespace:
+    p = argparse.ArgumentParser(description=__doc__)
+    p.add_argument("--distribution", "-d", required=True)
+    p.add_argument("--commit", "-c", action="store_true", default=False)
+
+    return p.parse_args()
+
+
+def find_config(distribution: str) -> Path:
+    for p in (
+        Path(f"mkosi.conf.d/{distribution}.conf"),
+        Path(f"mkosi.conf.d/{distribution}/mkosi.conf"),
+    ):
+        if p.exists():
+            return p
+
+    print(f"No config file found for {distribution}", file=sys.stderr)
+    sys.exit(1)
+
+
+def read_release(path: Path) -> str | None:
+    config = configparser.ConfigParser()
+    # Preserve case of keys.
+    config.optionxform = str  # type: ignore[assignment]
+    config.read(path)
+
+    return config.get("Distribution", "Release", fallback=None)
+
+
+def update_snapshot(path: Path, snapshot: str) -> bool:
+    lines = path.read_text().splitlines()
+
+    # Check if there's already a Snapshot= line we can replace.
+    found = False
+    new = []
+    for line in lines:
+        if line.startswith("Snapshot="):
+            if line == f"Snapshot={snapshot}":
+                # Already up to date.
+                return False
+            new.append(f"Snapshot={snapshot}")
+            found = True
+        else:
+            new.append(line)
+
+    if not found:
+        # Add Snapshot= after the last key in the [Distribution] section.
+        result = []
+        added = False
+        in_distribution = False
+        for i, line in enumerate(new):
+            result.append(line)
+            if line.strip() == "[Distribution]":
+                in_distribution = True
+                continue
+            if in_distribution:
+                # Check if the next line starts a new section or if we're at the last line of the section.
+                next_is_end = (i + 1 >= len(new)) or new[i + 1].startswith("[")
+                is_blank = line.strip() == ""
+                if next_is_end and not is_blank:
+                    result.append(f"Snapshot={snapshot}")
+                    added = True
+                    in_distribution = False
+                elif next_is_end and is_blank:
+                    # Insert before the blank line.
+                    result.pop()
+                    result.append(f"Snapshot={snapshot}")
+                    result.append(line)
+                    added = True
+                    in_distribution = False
+
+        if not added:
+            # No [Distribution] section exists; add one.
+            result = new + ["", "[Distribution]", f"Snapshot={snapshot}"]
+
+        new = result
+
+    path.write_text("\n".join(new) + "\n")
+    return True
+
+
+def commit(distribution: str, release: str | None, path: Path, snapshot: str) -> None:
+    if release:
+        msg = f"mkosi: Update {distribution} {release} snapshot to {snapshot}"
+    else:
+        msg = f"mkosi: Update {distribution} snapshot to {snapshot}"
+
+    add_cmd = ["git", "add", str(path)]
+    print(f"+ {shlex.join(add_cmd)}")
+    subprocess.run(add_cmd, check=True)
+
+    commit_cmd = ["git", "commit", "-m", msg]
+    print(f"+ {shlex.join(commit_cmd)}")
+    subprocess.run(commit_cmd, check=True)
+
+
+def main() -> None:
+    args = parse_args()
+
+    path = find_config(args.distribution)
+    release = read_release(path)
+
+    cmd = [
+        "mkosi",
+        "-d", args.distribution,
+        "latest-snapshot",
+    ]
+    print(f"+ {shlex.join(cmd)}")
+    snapshot = subprocess.check_output(cmd, text=True).strip()
+
+    print(f"Latest snapshot for {args.distribution}: {snapshot}")
+
+    if not update_snapshot(path, snapshot):
+        print("Snapshot already up to date, nothing to do.")
+        return
+
+    print(f"Updated {path} with Snapshot={snapshot}")
+
+    if args.commit:
+        commit(args.distribution, release, path, snapshot)
+
+
+if __name__ == "__main__":
+    main()
