oracle · jormundur00 · Nov 21, 2025 · Nov 19, 2025 · Nov 20, 2025 · Nov 20, 2025
diff --git a/.github/workflows/sync-docker-images.yml b/.github/workflows/sync-docker-images.yml
@@ -0,0 +1,50 @@
+name: "Sync Docker Image Tags"
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - 'tests/tck-build-logic/src/main/resources/allowed-docker-images/**'
+
+permissions:
+  contents: write
+
+jobs:
+  update-images:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: "☁️ Checkout repository"
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.head_ref }}
+          fetch-depth: 0
+
+      - name: "📝 Sync docker image tags"
+        run: |
+          set -euo pipefail
+
+          # get old FROM lines from master branch in Dockerfiles inside allowed directory
+          OLD_LINES=$(git grep '^FROM ' origin/master -- tests/tck-build-logic/src/main/resources/allowed-docker-images | sed 's/.*:FROM //')
+
+          # get new FROM lines from PR branch
+          NEW_LINES=$(git grep '^FROM ' HEAD -- tests/tck-build-logic/src/main/resources/allowed-docker-images | sed 's/.*:FROM //')
+
+          # replace all occurrences across repo
+          paste <(echo "$OLD_LINES") <(echo "$NEW_LINES") | while read OLD NEW; do
+            if [[ -n "$OLD" && -n "$NEW" && "$OLD" != "$NEW" ]]; then
+              echo "Replacing $OLD → $NEW"
+              grep -rl "$OLD" . | xargs sed -i "s|$OLD|$NEW|g" || true
+            fi
+          done
+
+          # commit and push changes
+          git config --local user.name "github-actions"
+          git config --local user.email "[email protected]"
+          git add .
+          if ! git diff --cached --quiet; then
+            git commit -m "Sync Docker image tags across repo"
+            git push origin "${GITHUB_HEAD_REF}"
+          else
+            echo "No changes to commit"
+          fi
@@ -35,3 +35,4 @@ Workflows for style and security:
 - [.github/workflows/checkstyle.yml](../.github/workflows/checkstyle.yml) / [.github/workflows/checkstyle-skip.yml](../.github/workflows/checkstyle-skip.yml): code style checks.
 - [.github/workflows/library-and-framework-list-validation.yml](../.github/workflows/library-and-framework-list-validation.yml) / [.github/workflows/library-and-framework-list-validation-skip.yml](../.github/workflows/library-and-framework-list-validation-skip.yml): validates and sorts [library-and-framework-list.json](../library-and-framework-list.json), checks schema.
 - [.github/workflows/scan-docker-images.yml](../.github/workflows/scan-docker-images.yml) / [.github/workflows/scan-docker-images-skip.yml](../.github/workflows/scan-docker-images-skip.yml): scans allowed Docker images on PR/schedule.
+- [.github/workflows/sync-docker-tags.yml](../.github/workflows/sync-docker-tags.yml): automatically synchronizes Docker image tags across the repository when Dependabot updates `allowed-docker-images`. Commits replacements directly into the Dependabot PR, making it merge-ready.