Add skip/security option to update.sh

[chorrell]

This adds a new -s option argument (and usage) to update.sh that allows you to skip updating the Yarn and Alpine versions when updating the images for a security release.

I also updated the shebang to match the other scripts and to ensure you get a newer (i.e. homebrew installed) version of bash when on a mac.

[nodejs-github-bot]

@chorrell sadly an error occured when I tried to trigger a build :(

[chorrell]

What's wrong with nodejs-github-bot ?

[SimenB]

Maybe worth updating the contributing guide?

[LaurentGoderre]

@chorrell I don't think this will work for alpine like this

[chorrell]

I made some changes to the update_node_version function update a temp Dockerfile first, then replace it with the original when done. This allowed me to get the currently used version of Alpine from the old Dockerfile which is needed when skipping the Alpine update. I think this might be generally useful since we can add logic later to show a diff of the old and new Dockerfiles when updating

[chorrell]

I'm going to do some more local testing of this over the week to ensure it can handle the various update scenarios

[LaurentGoderre]

Good call! I didn't think about the fact that the file gets overwritten right away!

[chorrell]

I think there's still some more work to do. Doing something like this resets the yarn version to 0.0.0:

 ./update.sh -s 6 alpine

[SimenB]

Rewrite in node and use https://github.com/rcjsuen/dockerfile-ast? :D

[LaurentGoderre]

Maybe for the sake of simplicity, the first step of this function would be to extract the current Node version, Yarn version and Alpine version. Then depending on the setting, update it. It might be a bit of extra processing if want to do a full update but I think the script would be more readable and simpler to understand.

What do you think?

[SimenB]

Extra processing is no issue - this is super quick anyways. The only thing taking time is the network calls figuring out latest version

[chorrell]

I pushed another change to better deal with the Yarn version

[LaurentGoderre]

@chorrell not required to land this but it might be nice to check on the flag early and if the slip flag is not defined, fetch the latest version of Yarn, then in the loop call the latest version if not skipping.

This would avoid repeated HTTP requests

[chorrell]

I'll do a rebase to cleanup the commit history.

[chorrell]

rebase done

[chorrell]

I included some improvements to the usage instructions based on everyone's feedback

[chorrell]

Oh, I noticed the Travis-CI integration has changed. Is it not using nodejs-github-bot anymore?

[chorrell]

Er, k, it's using both. What's going on? I prefer having this though :)

https://github.com/nodejs/docker-node/runs/4204119

[LaurentGoderre]

@chorrell #790 needs to be merged to fix you build. I think the shfmt image was updated.

[LaurentGoderre]

Can you rebase?

[chorrell]

done

[chorrell]

Does anyone understand why we have 3 builds? I kind of get the separated branch build, but why are there 2 PR builds? Is nodejs-github-bot redundant? Did a setting change somewhere?

[chorrell]

I don't recall adding this...

[chorrell]

I disabled since we have nodejs-github-bot will remove it entirely later once I see it's not breaking anything

[LaurentGoderre]

Build passes https://travis-ci.org/nodejs/docker-node/builds/393736009 Can I merge?

[chorrell]

sure

[nschonni]

The disabled one might be related to nodejs/build#1353