Fetch container image information from branch-metadata file

[richard-cox]

Summary

• switch from..
  • hardcoded container images
    • used to bring up a local docker, e2e docker and fetch rancher/ui bits during build process
    • these are different per branch. examples
      • rancher/rancher:head, stgregistry.suse.com/rancher/rancher:v2.12-head
      • https://releases.rancher.com/ui/latest2/index.html, https://releases.rancher.com/ui/release-2.12/index.html
  • releases branches updated automatically (via PR) on push
• to...
  • images fetched from branches-metadata file
  • we also handle different image registries
• this is part of a long term drive Track and align all milestone variables #15927 to have a single location containing branch and milestone related data

Occurred changes and/or fixed issues

• remove previous workflow + script to update hardcoded values
• scripts that used hardcoded values now reference branches-metadata

Areas or cases that should be tested

• i manually tweaked the three scripts to test
  • scripts/local-docker-start
  • scripts/e2e-docker-start
  • scripts/build-e2e

Checklist

• The PR is linked to an issue and the linked issue has a Milestone, or no issue is needed
• The PR has a Milestone
• The PR template has been filled out
• The PR has been self reviewed
• The PR has a reviewer assigned
• The PR has automated tests or clear instructions for manual tests and the linked issue has appropriate QA labels, or tests are not needed
• The PR has reviewed with UX and tested in light and dark mode, or there are no UX changes
• The PR has been reviewed in terms of Accessibility
• The PR has considered, and if applicable tested with, the three Global Roles Admin, Standard User and User Base

[Copilot]

Pull request overview

This PR migrates E2E/local Docker image and UI index selection from hardcoded values (and an auto-update workflow) to a single source of truth in branches-metadata.json, enabling branch-aware configuration and support for alternate registries.

Changes:

• Removed the release-branch workflow/script that auto-updated hardcoded E2E version values.
• Added a get-branch-metadata.sh helper and updated scripts to derive Rancher image + UI index URLs from branches-metadata.json.
• Switched docker:local:start from an inline docker run to a script wrapper.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
scripts/update-e2e-rancher-version.sh	Removed obsolete hardcoded-updater script.
.github/workflows/update-e2e-rancher-version.yml	Removed obsolete workflow that opened PRs to update hardcoded values.
scripts/get-branch-metadata.sh	New helper to read per-branch metadata from branches-metadata.json.
branches-metadata.json	Restructured/centralized per-branch milestone + image + URL metadata.
scripts/e2e-docker-start	Now selects Rancher image from branch metadata (registry/namespace/name/tag).
scripts/build-e2e	Now selects ember ui-index URL from branch metadata.
scripts/local-docker-start	New wrapper intended to select image from branch metadata for local starts.
package.json	docker:local:start now runs the new wrapper script.

Comments suppressed due to low confidence (6)

scripts/e2e-docker-start:24

• This script sets RANCHER_IMG_TAG from $1, but later branch-metadata parsing overwrites RANCHER_IMG_TAG, so passing an explicit tag becomes ineffective whenever branch metadata exists. Consider giving the CLI argument precedence (e.g., only read the tag from metadata when no argument is provided) or add an explicit override flag.

if [ $# -eq 1 ]; then
  RANCHER_IMG_TAG=$1
  # When an image is specified, we use that image, including its front-end, so we don't want the volume args to mount the locally-built UI
  VOLUME_ARGS=""
fi

scripts/e2e-docker-start:28

• BRANCH_DATA is derived via ./scripts/get-branch-metadata.sh, which depends on the current working directory being the repo root. Since this script already computes DIR, use a path based on DIR/$0 so it works regardless of where it’s invoked from.

# Target branch of PR
BRANCH_DATA=$(./scripts/get-branch-metadata.sh ${GITHUB_BASE_REF:-${GITHUB_REF_NAME}})

scripts/build-e2e:59

• jq -r will output the literal string null when the key is missing. As written, [[ -n "$UI_INDEX" ]] will treat null as non-empty and set EMBER_URL to null, causing curl to fail. Use // empty in the jq expression (or explicitly guard against null) before overriding the default URL.

    UI_INDEX=$(echo "$BRANCH_DATA" | jq -r '.["rancher-rancher-repo"]."ui-index"')

    if [[ -n "$UI_INDEX" ]]; then
        EMBER_URL=$UI_INDEX
    fi

scripts/build-e2e:62

• curl $EMBER_URL ... is unquoted; if EMBER_URL ever contains characters that trigger word-splitting or globbing, the command will break. Quote the variable in the curl invocation.

curl $EMBER_URL -k -o $OUTPUT_EMBER_DIR/index.html

scripts/get-branch-metadata.sh:6

• DIR=$(cd $(dirname $0)/..; pwd) is unquoted, so it will break if the repo path contains spaces (and can mis-handle unusual $0 values). Quote the expansions and prefer using ${BASH_SOURCE[0]} for robustness.

# Get the directory of the script to find the project root
DIR=$(cd $(dirname $0)/..; pwd)

scripts/e2e-docker-start:14

• RANCHER_IMG is constructed once (using the initial RANCHER_IMG_TAG=head) and is never recomputed after RANCHER_IMG_TAG is changed via $1 unless branch metadata is found. If BRANCH_DATA is empty (e.g., running on a non-listed local branch), passing an image tag argument won’t affect the image actually used. Recompute RANCHER_IMG after processing $1 (and/or after metadata application).

RANCHER_IMG_TAG=head
RANCHER_IMG_REGISTRY=
RANCHER_IMG_NAMESPACE=rancher
RANCHER_IMG_NAME=rancher
RANCHER_IMG=${RANCHER_IMG_NAMESPACE}/${RANCHER_IMG_NAME}:${RANCHER_IMG_TAG}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (5)

scripts/get-branch-metadata.sh:22

• In the metadata download, $METADATA_JSON_URL is unquoted in the curl invocation. If the URL ever contains shell metacharacters (e.g. query params with &) this can break the command; quoting is safer and consistent with other robust shell scripts.

METADATA_JSON_URL=https://raw.gh.umua.top/rancher/dashboard/master/branches-metadata.json
METADATA_JSON=$(curl -s -f -L $METADATA_JSON_URL) || {
  echo "Error: Failed to download $METADATA_JSON_URL" >&2
  exit 1

scripts/e2e-docker-start:28

• BRANCH_DATA is fetched via ./scripts/get-branch-metadata.sh (relative to the current working directory). If this script is run from within scripts/ (e.g. cd scripts && ./e2e-docker-start), the path resolves to scripts/scripts/get-branch-metadata.sh and fails. Use a path relative to the script location (e.g. $(dirname "$0")/get-branch-metadata.sh or ${DIR}/scripts/get-branch-metadata.sh).

# Target branch of PR
BRANCH_DATA=$(./scripts/get-branch-metadata.sh ${GITHUB_BASE_REF:-${GITHUB_REF_NAME}})

scripts/local-docker-start:13

• BRANCH_DATA is fetched via ./scripts/get-branch-metadata.sh, which is relative to the current working directory. If local-docker-start is run from a different directory (or via a tool that changes CWD), this will fail. Prefer resolving the repo root from the script location (e.g. DIR=$(cd "$(dirname "$0")/.."; pwd) and then call ${DIR}/scripts/get-branch-metadata.sh).

# Target branch of PR
BRANCH_DATA=$(./scripts/get-branch-metadata.sh)

scripts/build-e2e:62

• curl $EMBER_URL ... should quote the URL variable. Unquoted URLs that ever include shell metacharacters (notably & in query strings) will be tokenized by the shell and can break the command (or background part of it). Quoting also avoids any accidental word-splitting/globbing if the metadata changes.

curl $EMBER_URL -k -o $OUTPUT_EMBER_DIR/index.html

scripts/build-e2e:62

• Using curl with the -k flag here disables TLS certificate validation, allowing an on‑path attacker to impersonate EMBER_URL and inject arbitrary HTML/JS into the e2e UI build. When that HTML is later loaded in a browser with Rancher credentials, this could be used to steal tokens or tamper with test behavior. Remove -k and rely on standard certificate validation (or configure a proper trust store for internal endpoints) instead of bypassing verification.

curl $EMBER_URL -k -o $OUTPUT_EMBER_DIR/index.html

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (4)

scripts/local-docker-start:13

• get-branch-metadata.sh is invoked via a relative path (./scripts/...). Because this script doesn’t cd to the repo root (unlike some other scripts), running it from a different working directory will fail to find ./scripts/get-branch-metadata.sh. Consider resolving the script directory (e.g., via DIR=$(cd "$(dirname "$0")"/..; pwd) and calling ${DIR}/scripts/get-branch-metadata.sh).

# Target branch of PR
BRANCH_DATA=$(./scripts/get-branch-metadata.sh)

scripts/e2e-docker-start:26

• BRANCH_DATA is populated by calling ./scripts/get-branch-metadata.sh, but this script does not ensure the current working directory is the repo root. If scripts/e2e-docker-start is executed from outside the repo root, the relative path will break even though DIR is already computed. Consider invoking get-branch-metadata.sh via an absolute path derived from DIR, and quote the branch argument to avoid word-splitting.

else
  # Get container image from branch-metadata
  BRANCH_DATA=$(./scripts/get-branch-metadata.sh ${GITHUB_BASE_REF:-${GITHUB_REF_NAME}})

scripts/build-e2e:62

• curl $EMBER_URL ... uses an unquoted URL that can come from branch metadata. If the value contains whitespace or starts with -, it can lead to argument splitting or option injection. Quote the variable and use -- before the URL so curl treats it strictly as a URL argument.

EMBER_URL=https://releases.rancher.com/ui/latest2/index.html

# Target branch of PR
BRANCH_DATA=$(./scripts/get-branch-metadata.sh ${GITHUB_BASE_REF:-${GITHUB_REF_NAME}})

if [ -n "$BRANCH_DATA" ]; then
    UI_INDEX=$(echo "$BRANCH_DATA" | jq -r '.["rancher-rancher-repo"]."ui-index" // ""')

    if [[ -n "$UI_INDEX" ]]; then
        EMBER_URL=$UI_INDEX
    fi
fi

curl $EMBER_URL -k -o $OUTPUT_EMBER_DIR/index.html

scripts/get-branch-metadata.sh:23

• get-branch-metadata.sh exits hard if it can’t download branches-metadata.json. Callers like local-docker-start and e2e-docker-start already have sensible defaults, so failing the whole script on a transient network/GitHub outage can break local dev and CI unnecessarily. Consider falling back to the in-repo branches-metadata.json when present, or returning an empty result (with a warning) so callers can continue using defaults.

# 2. find the relevant json object in `master` branches-metadata.json
METADATA_JSON_URL=https://raw.gh.umua.top/rancher/dashboard/master/branches-metadata.json
METADATA_JSON=$(curl -s -f -L $METADATA_JSON_URL) || {
  echo "Error: Failed to download $METADATA_JSON_URL" >&2
  exit 1
}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[aalves08]

LGTM

[rak-phillip]

I think this looks good. I have one question about consistency in how the scripts are setup.

This is going to be a great improvement over what we had before 🚀

[rak-phillip]

It looks like set -e is missing from scripts/e2e-docker-start. Do we want to add that here to be consistent with scripts/get-branch-metadata.sh & scripts/local-docker-start?

[richard-cox]

in theory it should be however the file wants to handle errors. given they're all intertwined i've made them consistent, including shebang as well.

[rak-phillip]

LGTM