From 955c0d7e1fc175ab15e010cd82c4faf0a6cc7242 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Tue, 14 Oct 2025 23:08:25 +0200
Subject: [PATCH] rootless: Automatically populate TEST/STABLE version
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When building the final install.sh script - fill the latest versions
based on Github releases.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
 .github/workflows/ci.yml   |  9 ++++++++-
 .github/workflows/diff.yml |  4 ++++
 Makefile                   | 25 ++++++++++++++++++++++---
 rootless-install.sh        |  4 ++--
 scripts/get-version.sh     | 29 +++++++++++++++++++++++++++++
 5 files changed, 65 insertions(+), 6 deletions(-)
 create mode 100755 scripts/get-version.sh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0a921f34..f7e43546 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,8 +19,12 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: Shellcheck
+      env:
+        GH_TOKEN: ${{ github.token }}
       run: make shellcheck
     - name: Check distribution
+      env:
+        GH_TOKEN: ${{ github.token }}
       run: TEST_IMAGE=${{ matrix.os }} VERSION=${{ matrix.version }} make test
 
   # This is a separate workflow step, because we need to check it outside of container (due to lsmod, iptables checks)
@@ -30,7 +34,10 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: Install rootless
+      env:
+        GH_TOKEN: ${{ github.token }}
       run: |
         sudo sh -c 'echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns'
-        FORCE_ROOTLESS_INSTALL=1 ./rootless-install.sh
+        make build/test/rootless-install.sh
+        FORCE_ROOTLESS_INSTALL=1 ./build/test/rootless-install.sh
     
diff --git a/.github/workflows/diff.yml b/.github/workflows/diff.yml
index a62afc0c..dab3eb8a 100644
--- a/.github/workflows/diff.yml
+++ b/.github/workflows/diff.yml
@@ -12,10 +12,14 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Diff stable
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
             make CHANNEL=stable diff
 
       - name: Diff test
+        env:
+          GH_TOKEN: ${{ github.token }}
         run: |
             make CHANNEL=test diff
 
diff --git a/Makefile b/Makefile
index 0eb467c9..a94238e9 100644
--- a/Makefile
+++ b/Makefile
@@ -6,25 +6,44 @@ VOLUME_MOUNTS=-v "$(CURDIR)":/v
 SHELLCHECK_EXCLUSIONS=$(addprefix -e, SC1091 SC1117 SC2317 SC2329)
 SHELLCHECK=docker run --rm $(VOLUME_MOUNTS) -w /v koalaman/shellcheck:stable $(SHELLCHECK_EXCLUSIONS)
 
-ENVSUBST_VARS=LOAD_SCRIPT_COMMIT_SHA
+ENVSUBST_VARS=LOAD_SCRIPT_COMMIT_SHA LOAD_SCRIPT_STABLE_LATEST LOAD_SCRIPT_TEST_LATEST
 
 # Define the channels we want to build for
 CHANNELS=test stable
 
 FILES=build/test/install.sh build/stable/install.sh build/stable/rootless-install.sh
 
+STABLE_LATEST=$(shell ./scripts/get-version.sh stable)
+TEST_LATEST=$(shell ./scripts/get-version.sh test)
+
+# Error checking for empty version variables
+ifeq ($(STABLE_LATEST),)
+$(error STABLE_LATEST is empty)
+endif
+ifeq ($(TEST_LATEST),)
+$(error TEST_LATEST is empty)
+endif
+
 .PHONY: build
 build: $(FILES)
 
 build/%/install.sh: install.sh
 	mkdir -p $(@D)
 	sed 's/DEFAULT_CHANNEL_VALUE="stable"/DEFAULT_CHANNEL_VALUE="$*"/' $< | \
-		LOAD_SCRIPT_COMMIT_SHA='$(shell git rev-parse HEAD)' envsubst '$(addprefix $$,$(ENVSUBST_VARS))' > $@
+		LOAD_SCRIPT_COMMIT_SHA='$(shell git rev-parse HEAD)' \
+		LOAD_SCRIPT_STABLE_LATEST='$(STABLE_LATEST)' \
+		LOAD_SCRIPT_TEST_LATEST='$(TEST_LATEST)' \
+		envsubst '$(addprefix $$,$(ENVSUBST_VARS))' > $@
+	chmod +x $@
 
 build/%/rootless-install.sh: rootless-install.sh
 	mkdir -p $(@D)
 	sed 's/DEFAULT_CHANNEL_VALUE="stable"/DEFAULT_CHANNEL_VALUE="$*"/' $< | \
-		LOAD_SCRIPT_COMMIT_SHA='$(shell git rev-parse HEAD)' envsubst '$(addprefix $$,$(ENVSUBST_VARS))' > $@
+		LOAD_SCRIPT_COMMIT_SHA='$(shell git rev-parse HEAD)' \
+		LOAD_SCRIPT_STABLE_LATEST='$(STABLE_LATEST)' \
+		LOAD_SCRIPT_TEST_LATEST='$(TEST_LATEST)' \
+		envsubst '$(addprefix $$,$(ENVSUBST_VARS))' > $@
+	chmod +x $@
 
 .PHONY: shellcheck
 shellcheck: $(FILES)
diff --git a/rootless-install.sh b/rootless-install.sh
index 09bcb383..5d8728c3 100755
--- a/rootless-install.sh
+++ b/rootless-install.sh
@@ -21,10 +21,10 @@ SCRIPT_COMMIT_SHA="$LOAD_SCRIPT_COMMIT_SHA"
 # This script should be run with an unprivileged user and install/setup Docker under $HOME/bin/.
 
 # latest version available in the stable channel.
-STABLE_LATEST="28.5.2"
+STABLE_LATEST="$LOAD_SCRIPT_STABLE_LATEST"
 
 # latest version available in the test channel.
-TEST_LATEST="29.0.0-rc.2"
+TEST_LATEST="$LOAD_SCRIPT_TEST_LATEST"
 
 # The channel to install from:
 #   * test
diff --git a/scripts/get-version.sh b/scripts/get-version.sh
new file mode 100755
index 00000000..40168bfd
--- /dev/null
+++ b/scripts/get-version.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -e
+
+if [ $# -ne 1 ]; then
+    echo "Usage: $0 <stable|test>" >&2
+    exit 1
+fi
+
+channel="$1"
+
+last_release_tag() {
+    local field="$1"
+    gh -R moby/moby release list -O desc --json tagName,isLatest,isPrerelease \
+        -q ".[] | select(.${field}) | \
+            .tagName | \
+            sub(\"^docker-\"; \"\") | \
+            select(startswith(\"v\") == true) | \
+            sub(\"^v\"; \"\")" |
+        head -n1
+}
+
+case "$channel" in
+    stable) last_release_tag 'isLatest' ;;
+    test) last_release_tag 'isPrerelease' ;;
+    *)
+        echo "Error: Invalid channel '$channel'. Use 'stable' or 'test'." >&2
+        exit 1
+        ;;
+esac