Skip to content

Automatically tag previous image during release#10367

Open
joehan wants to merge 1 commit intonextfrom
jh-autotag
Open

Automatically tag previous image during release#10367
joehan wants to merge 1 commit intonextfrom
jh-autotag

Conversation

@joehan
Copy link
Copy Markdown
Member

@joehan joehan commented Apr 16, 2026

Description

Automating one more chore in the release process - on each release, tag the previous release as no-new-use-public-image. We don't republish new versions of these old images with vulnerabilties addressed. Adding this tag opts the images out of future AutoVM scans and signals to users that they should be moving to latest.

Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new step in the Cloud Build pipeline to tag the previous version of the Firebase Docker image before publishing a new one. The feedback suggests modernizing the implementation by using gcloud artifacts docker commands instead of legacy gcloud container commands, improving the robustness of tag parsing, and handling cases where the image might not yet exist.

Comment on lines +170 to +175
TAGS=$(gcloud container images list-tags $${IMAGE_NAME} --filter="tags:latest" --format="value(tags)")
echo "Tags for latest: $${TAGS}"
PREVIOUS_VERSION=$(echo $${TAGS} | tr ',' '\n' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$$' | head -n 1)
echo "Detected previous version: $${PREVIOUS_VERSION}"
if [ -n "$${PREVIOUS_VERSION}" ]; then
gcloud container images add-tag $${IMAGE_NAME}:latest $${IMAGE_NAME}:no-new-use-public-image-$${PREVIOUS_VERSION} --quiet
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The current implementation uses legacy gcloud container commands and could be more robust when parsing tags.

  1. Use Artifact Registry Commands: Since the registry is us-docker.pkg.dev, it is recommended to use gcloud artifacts docker commands instead of the legacy gcloud container commands.
  2. Handle Missing Images: If the image does not exist yet (e.g., in a new environment or first run), the gcloud command will exit with a non-zero status, which might fail the build depending on the shell environment. Adding || true and redirecting stderr ensures the script continues gracefully.
  3. Robust Parsing: Quoting the TAGS variable in echo prevents word splitting issues. Using tr ',;' handles different potential delimiters (semicolon is the default for many gcloud list values) to ensure tags are correctly split into lines for grep.
          TAGS=$(gcloud artifacts docker images list $${IMAGE_NAME} --filter="tags:latest" --format="value(tags)" 2>/dev/null || true)
          echo "Tags for latest: $${TAGS}"
          PREVIOUS_VERSION=$(echo "$${TAGS}" | tr ',;' '\n' | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$$' | head -n 1)
          echo "Detected previous version: $${PREVIOUS_VERSION}"
          if [ -n "$${PREVIOUS_VERSION}" ]; then
            gcloud artifacts docker tags add $${IMAGE_NAME}:latest $${IMAGE_NAME}:no-new-use-public-image-$${PREVIOUS_VERSION} --quiet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants