BOM Refresh #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2026, NVIDIA CORPORATION. All rights reserved. | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # Unless required by applicable law or agreed to in writing, software | |
| # distributed under the License is distributed on an "AS IS" BASIS, | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| # See the License for the specific language governing permissions and | |
| # limitations under the License. | |
| # Weekly refresh of docs/user/container-images.md. | |
| # | |
| # Runs `make bom-docs` against the live Helm chart catalog and opens (or | |
| # updates) a PR if the regenerated BOM differs from the committed copy. | |
| # Catches upstream chart drift for components whose chart version is not | |
| # yet pinned (gated by issue #742; see #748/#749 for the pinning work). | |
| # Once every chart is digest-pinned end-to-end, this should reduce to a | |
| # no-op — keeping the action keeps that property visible and enforced. | |
| # | |
| # A path-filtered PR-time `bom-check` gate (catching drift introduced by | |
| # in-tree changes rather than upstream rerenders) is a planned follow-up | |
| # under #739; until that lands, this scheduled refresh is the sole | |
| # enforcement. | |
| name: BOM Refresh | |
| on: | |
| schedule: | |
| # Mondays 06:00 UTC, after most upstream releases settle from the weekend. | |
| - cron: "0 6 * * 1" | |
| workflow_dispatch: {} | |
| permissions: | |
| contents: read | |
| jobs: | |
| refresh: | |
| name: Regenerate BOM and open PR on drift | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Load versions | |
| id: versions | |
| uses: ./.github/actions/load-versions | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: ${{ steps.versions.outputs.go }} | |
| cache: false | |
| - name: Set up Helm | |
| uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v4.3.1 | |
| with: | |
| version: ${{ steps.versions.outputs.helm }} | |
| - name: Regenerate BOM doc | |
| run: make bom-docs | |
| - name: Open or update refresh PR if BOM drifted | |
| uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 | |
| with: | |
| # The bot reuses GITHUB_TOKEN; the repo's /ok reviewer-comment | |
| # policy re-fires CI on bot PRs (matches the renovate.yaml setup). | |
| commit-message: "chore(bom): refresh container image inventory" | |
| title: "chore(bom): refresh container image inventory" | |
| body: | | |
| Automated weekly refresh of `docs/user/container-images.md`. | |
| Drift here usually indicates an upstream chart re-rendered with | |
| different image defaults (typical for components whose chart | |
| version is not yet pinned — tracked under #739 / #749). | |
| Review the diff to confirm the change is expected. | |
| branch: chore/bom-refresh | |
| delete-branch: true | |
| labels: | | |
| documentation | |
| area/docs | |
| area/recipes |