Skip to content

chore: import yq from base_images instead of curl in release artifact#74

Merged
duckhawk merged 4 commits into
mainfrom
chore/release-yq-from-base-images
May 12, 2026
Merged

chore: import yq from base_images instead of curl in release artifact#74
duckhawk merged 4 commits into
mainfrom
chore/release-yq-from-base-images

Conversation

@duckhawk
Copy link
Copy Markdown
Member

@duckhawk duckhawk commented May 8, 2026

Description

Replace the ad-hoc curl download of yq v2.4.1 from GitHub releases inside the
release-channel-version-artifact build of .werf/release.yaml with an import
of yq from the tools/yq base image. The now-unused apk add curl/chmod
steps and the empty beforeInstall block are dropped along with it.

The tools/yq base image ships yq v4, so the version.json generation
command is updated to v4 syntax accordingly:

  • before: yq n version "$TAG" | yq r - -j > version.json
  • after: yq -n '.version = "$TAG"' -o=json > version.json

No changes to the final release-channel-version image layout.

Why do we need it, and what problem does it solve?

  • Removes an external network dependency (github.com) from the release-channel
    artifact build, making it more reliable and reproducible.
  • Pins the version of yq to whatever is locked in base_images.yml, instead
    of an ancient (2017) mikefarah/yq v2.4.1 GitHub release.
  • Aligns this image build with the rest of the modules that already consume
    tools from base_images via werf import: (e.g. tools/util-linux,
    tools/xfsprogs, etc.).

What is the expected result?

  • werf build of release-channel-version-artifact no longer reaches the
    public internet to fetch yq.
  • The produced version.json is functionally identical: a JSON object with a
    single version field equal to MODULES_MODULE_TAG.
  • The final release-channel-version image content is unchanged
    (version.json, changelog.yaml, module.yaml).

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

duckhawk added 4 commits May 8, 2026 12:39
@duckhawk
chore: import yq from base_images instead of curl in release artifact
c4ff2c5 
Replace the ad-hoc curl download of yq v2.4.1 from GitHub releases
with an import of yq from the `tools/yq` base image. The base image
ships yq v4, so the version.json command is updated to v4 syntax.

This removes an external network dependency from the
release-channel-version-artifact build and aligns it with how the
rest of the modules consume tools from base_images.
@duckhawk
chore: use alt packages proxy helper in .werf/bundle.yaml
f044e57 
Replace the bare `apt-get update` step in the `docs-generator` artifact
of `.werf/bundle.yaml` with an inclusion of the `alt packages proxy`
template from `.werf/defines/packages-proxies.tmpl`.

The helper:
  - rewrites `/etc/apt/sources.list.d/alt.list` to use
    `$DistroPackagesProxy` when the variable is set;
  - exports `DEBIAN_FRONTEND=noninteractive`;
  - runs `apt-get update -y`.

This brings the bundle artifact in line with how the other werf images
in each module already configure ALT package access (see e.g.
`images/*/werf.inc.yaml`).
@duckhawk
chore: add pypi proxy helper and use it in .werf/bundle.yaml
a7ddd0c 
Backport the `pypi proxy` template from the upstream Deckhouse
.werf/defines/packages-proxies.tmpl into our copy of the file, and
use it in the docs-generator artifact of .werf/bundle.yaml right
before `pip3 install PyYAML packaging`.

When `$DistroPackagesProxy` is set, the helper writes /etc/pip.conf
pointing pip at our PyPI proxy
(http://$DistroPackagesProxy/repository/pypi-proxy/...). When the
variable is unset, the include is a no-op and pip continues to use
the default index.

Source of the template:
https://github.com/deckhouse/deckhouse/blob/main/.werf/defines/packages-proxies.tmpl
@duckhawk
chore: rewrite generate_release_notes in Go to drop python/pip depend…
df46b5a 
…ency

Replaces hack/generate_release_notes.py with a precompiled, statically
linked Go binary (sources kept under hack/ as generate_release_notes.go,
go.mod, go.sum). The binary produces byte-identical RELEASE_NOTES.md and
RELEASE_NOTES.ru.md output for the CHANGELOG/ files we ship.

.werf/bundle.yaml no longer needs to install python3/python3-module-pip
nor pip-install PyYAML+packaging, so the alt packages proxy and pypi
proxy includes are dropped from the docs-generator stage.
@duckhawk duckhawk merged commit 66a352b into main May 12, 2026
12 checks passed
@duckhawk duckhawk deleted the chore/release-yq-from-base-images branch May 12, 2026 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kkozoriz kkozoriz kkozoriz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@duckhawk @kkozoriz