Home 零对冲(ZeroHedge)每日HackerNews

CI 中自动化发行版更新
Automating Distro Updates in CI

原始链接: https://paretosecurity.com/blog/automating-distro-updates-in-ci/

Pareto Security 通过自动化手段,消除了每月手动跟踪 Linux 发行版版本的繁琐任务,用于他们的测试基础设施。 过去,检查新版本和停止支持的版本容易出错且经常延迟。 他们利用 `endoflife.date` API 作为发行版生命周期信息的唯一可靠来源。 然后,他们创建了一个每周运行的 GitHub Action,用于查询此 API,自动更新他们的 CI 矩阵,并提交包含提议更改的拉取请求。 这确保了透明度,并允许在合并之前进行测试。 为了保证自动化本身能够正常运行,他们集成了“Dead Man’s Snitch”——一个监控工具,用于提醒他们更新过程中出现的任何故障。 该系统消除了手动工作量,确保他们的 CI 始终针对受支持的发行版进行测试,并释放了工程团队的时间,用于执行更有价值的任务。

黑客新闻 新 | 过去 | 评论 | 提问 | 展示 | 招聘 | 提交 登录 自动化在CI中更新发行版 (paretosecurity.com) 8 分,作者 zupo 41 分钟前 | 隐藏 | 过去 | 收藏 | 讨论 指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请YC | 联系 搜索:
相关文章
原文

For a long time, we had a recurring TODO in our calendar: once a month, check whether any Linux distro we test against got a new stable version—or dropped support for an old one.

Sounds simple. In reality, it was annoying, error-prone, and we were always late. Someone had to remember, look up release notes, update our CI matrix, and push a commit. Sometimes we missed a release for weeks, even months. Sometimes we forgot to remove an EOL version. It was busywork, not engineering.

So we automated it.

Step 1: Get the source of truth

We found endoflife.date has a neat API with lifecycle information for tons of projects, including Linux distros.

It gives you a structured JSON about supported and upcoming releases. Exactly what we needed: a single place to know what’s alive and what’s dead.

Step 2: Update CI automatically

We wrote a GitHub Action that queries this API, parses the versions, and updates our CI matrix. The action runs every week, so our testing matrix is always fresh.

You can see the code on GitHub.

Instead of telling people “remember to bump Ubuntu when a new LTS comes out,” the pipeline does it for us.

Step 3: Open a PR, not a mystery commit

Nobody likes automation silently pushing to main. We used peter-evans/create-pull-request to have the action open a PR with the changes.

That way:

  • We can see exactly which versions got added/removed.
  • Tests run as usual.
  • If something breaks, main stays intact. A human is kept in the loop, in charge of merging the PR.

Step 4: Watchdog for the watchdog

One last problem: what if the action itself fails?

A broken script could silently stop updating distros, and we wouldn’t notice until we’re back to being weeks out of date. To prevent that, we hooked the action up to Dead Man’s Snitch.

If the action stops reporting, we get pinged in Slack. So even the automation is monitored.

Done!

No more monthly TODOs. No more late updates. No more “oops, we’re still testing against an unsupported Debian.”

Our CI matrix now always tracks the current stable versions, with almost zero manual work. And we get to spend our time on actual engineering instead of distro babysitting.

Automation FTW!

Neyts Zupan

Neyts is the Pareto Security co-founder and Tech Lead.

联系我们 contact @ memedata.com