Updating Gitlab repo file using that repo's pipeline

Question

I have a Python app that takes the value of a certificate in a Dockerfile and updates it. However, I'm having difficulty knowing how to get the app to work within Gitlab.

When I push the app with the Dockerfile to be updated I want the app to run in the Gitlab pipeline and update the Dockerfile. I'm a little stuck on how to do this. I'm thinking that I would need to pull the repo, run the app and then push back up.

Would like some advice on if this is the right approach and if so how I would go about doing so?

This is just an example of the Dockerfile to be updated (I know this image wouldn't actually work, but the app would only update the ca-certificate present in the DF:

#syntax=docker/dockerfile:1

#init the base image 
FROM alpine:3.15

#define present working directory
#WORKDIR /library

#run pip to install the dependencies of the flask app
RUN apk add -u \
    ca-certificates=20211220 \  
    git=3.10
    

#copy all files in our current directory into the image
COPY . /library

EXPOSE 5000


#define command to start the container, need to make app visible externally by specifying host 0.0.0.0
CMD [ "python3", "-m", "flask", "run", "--host=0.0.0.0"]

gitlab-ci.yml:

stages:
  - build
  - test
  - update_certificate


variables:
  PYTHON_IMG: "python:3.10"


pytest_installation:
  image: $PYTHON_IMG
  stage: build
  script: 
    - pip install pytest
    - pytest --version


python_requirements_installation:
  image: $PYTHON_IMG
  stage: build
  script:
    - pip install -r requirements.txt


unit_test:
  image: $PYTHON_IMG
  stage: test
  script:
    - pytest ./tests/test_automated_cert_checker.py


cert_updater:
  image: $PYTHON_IMG
  stage: update_certificate
  script:
    - pip install -r requirements.txt
    - python3 automated_cert_updater.py

I'm aware there's a lot of repetition with installing the requirements multiple times and that this is an area for improvement. I doesn't feel like it's necessary for the app to be built into an image because it's only used for updating the DF.

requirements.txt installs pytest and BeautifulSoup4

Additional context: The pipeline that builds the Dockerimage already exists and builds successfully. I am looking for a way to run this app once a day which will check if the ca-certificate is still up to date. If it isn't then the app is run, the ca-certificate in the Dockerfile is updated and then the updated Dockerfile is re built automatically. My thoughts are that I may need to set the gitlab-ci.yml up pull the repo, run the app (that updates the ca-certificate) and then re push it, so that a new image is built based upon the update to the certificate. The Dockerfile shown here is just a basic example showing that the actual DF in the repo looks like.

I would have expected that build a Docker image somewhere (`docker build …`) and push it to Gitlab's "container" registry. — Klaus D., Mar 12 '22 at 13:25
Does this answer your question? [How do I push to a repo from within a gitlab CI pipeline?](https://stackoverflow.com/questions/51716044/how-do-i-push-to-a-repo-from-within-a-gitlab-ci-pipeline) — Arty-chan, Mar 12 '22 at 21:42

score -1 · Answer 1 · answered Mar 13 '22 at 00:51

What you probably want to do is identify the appropriate version before you build the Dockerfile. Then, pass a --build-arg with the ca-certificates version. That way, if the arg changes, then the cached layer becomes invalid and will install the new version. But if the version is the same, the cached layer would be used.

FROM alpine:3.15


ARG CA_CERT_VERSION

RUN apk add -u \
    ca-certificates=$CA_CERT_VERSION \  
    git=3.10
# ...

Then when you build your image, you should figure out the appropriate ca-certificates version and pass it as a build-arg.

Something like:

version="$(python3 ./get-cacertversion.py)" # you implement this
docker build --build-arg CA_CERT_VERSION=$version -t myimage .

Be sure to add appropriate bits to leverage docker caching in GitLab.

Updating Gitlab repo file using that repo's pipeline

1 Answers1