From bc9a636301105ec353bd90003f272dbb5d565ef1 Mon Sep 17 00:00:00 2001
From: Felix Moessbauer <felix.moessbauer@siemens.com>
Date: Mon, 13 May 2024 16:16:40 +0200
Subject: [PATCH] ci: pin debian container based on commit date

The ci container is based on a reproducible debian base container.
This container was selected based on the most recent tag for the
requested distribution (e.g. bookworm-<date>-slim). However, when
re-building old tags in the CI, the selected date needs to match the
commit date and not the current date. This logic is implemented in this
patch.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .github/actions/docker-init/action.yml |  7 +++++--
 scripts/lower-bound.py                 | 11 +++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100755 scripts/lower-bound.py

diff --git a/.github/actions/docker-init/action.yml b/.github/actions/docker-init/action.yml
index 92fb5a9a..64a52565 100644
--- a/.github/actions/docker-init/action.yml
+++ b/.github/actions/docker-init/action.yml
@@ -33,9 +33,12 @@ runs:
 
     - name: Determine Debian tag
       run: |
+        COMMIT_DATE=$(date -d @$(git log -1 --pretty=%ct) +%Y%m%d)
         DEBIAN_RELEASE=$(grep -m 1 'ARG DEBIAN_TAG=' Dockerfile | sed 's/.*DEBIAN_TAG=\(.*\)-.*/\1/')
-        echo "DEBIAN_TAG=$(podman image search --list-tags debian --limit 1000000000 | \
-                           grep "$DEBIAN_RELEASE-.*-slim" | sort -r | head -1 | sed 's/.*[ ]\+//')" >> $GITHUB_ENV
+        echo "DEBIAN_TAG=$(podman search --list-tags docker.io/debian --limit 1000000000 | \
+                           grep "$DEBIAN_RELEASE-.*-slim" | sort -r | sed 's/.*[ ]\+//' | \
+                           ./scripts/lower-bound.py $DEBIAN_RELEASE-$COMMIT_DATE-slim )" \
+                           >> $GITHUB_ENV
       shell: bash
 
     - name: Prepare repository for COPY-in
diff --git a/scripts/lower-bound.py b/scripts/lower-bound.py
new file mode 100755
index 00000000..a0cf3197
--- /dev/null
+++ b/scripts/lower-bound.py
@@ -0,0 +1,11 @@
+#!/usr/bin/env python3
+# takes a reverse-sorted, line separated list and
+# returns the first element that is equal or smaller
+# than the first argument
+
+import sys
+
+for line in sys.stdin:
+    if line.rstrip() <= sys.argv[1]:
+        print(line.rstrip())
+        break