feat: track upstream runner image versions and automate updates #20
Description
Problem
We pin runner image versions to avoid unexpected breakage (e.g. ghcr.io/quipper/actions-runner:2.332.0), but there's no mechanism to detect when upstream releases a new version. This means we silently fall behind on security patches and runner features.
Affected images:
- Docker runner:
ghcr.io/quipper/actions-runner(currently pinned to2.332.0) - Tart VM:
ghcr.io/cirruslabs/macos-tahoe-xcode(user-configured, typically:latest) - GitHub Actions runner binary: downloaded in Tart backend (currently hardcoded
v2.333.0)
Proposal
1. Pin all default image versions in code
- Docker runner image: already pinned in
defaultDockerRunnerImageconstant - Tart runner binary version: already pinned in tart.go
- Document recommended Tart VM image versions
2. Automated version tracking
Options (pick one or combine):
A. GitHub Actions workflow (recommended)
- Scheduled workflow (weekly) that checks upstream registries for new tags
- Compares against pinned versions in source code
- Opens a PR or issue when a new version is available
- Can use
crane lsor registry API to list tags
B. Dependabot / Renovate
- Configure Renovate to track container image versions in Go source files
- Renovate supports regex managers for custom version patterns
C. In-binary version check
- On startup, log a warning if a newer upstream version is available
- Non-blocking, advisory only
3. Upstream sources to track
| Image | Registry | Current | Track |
|---|---|---|---|
| quipper/actions-runner | ghcr.io | 2.332.0 | New semver tags |
| cirruslabs/macos-tahoe-xcode | ghcr.io | latest | New tags with Xcode version |
| actions/runner releases | github.com | v2.333.0 | GitHub releases |
Related
- feat: warm up runner images on startup (docker pull / tart pull) #14 (image warm-up on startup)