# Pinned Package Updater

Pinned Package Updater (PPU) is a tool for managing pinned packages installed with package managers in a Dockerfile
manifest. The goal of this tool is to reduce the administrative burden of keeping packages up to date with upstream
security releases by offering an automatic mechanism for checking for new security releases and patching the existing
Dockerfile manifest with those new versions.

The integration into the CI/CD is left up to the user, but can be as simple as committing the changes and opening an MR.

## Table Of Contents

1. [Usage](#usage)
2. [Building](#building)
3. [Contributing](#contributing)
4. [License](#license)

## Usage

### Standalone Usage
The default behavior for the tool is to operate in a standalone mode. In this mode the tool is responsible for parsing
the Dockerfile, fetching the upstream package manager resources, identifying the upgrades available, and applying those
upgrades. An alternative [distributed mode](#distributed-usage) is available to remove the upstream package resource
caching and version upgrade determination logic.

```bash
pinned-package-updater check
pinned-package-updater update
```

### Distributed Usage

In distributed mode the tool relies on an external deployment of PPU that is running in ***serve*** mode 
`pinned-package-updater serve`. To cache the upstream package manager resources and handle the upgrade check logic. In
this mode much of the work can be cached between requests and the overhead of checking for pinned version updates is
significantly reduced.

The tool running in this mode will revert to standalone mode if the upstream service is unavailable.

```bash
pinned-package-updater --remote <address of the upstream service> check
pinned-package-updater --remote <address of the upstream service> update
```

## Building

To build `pinned-package-updater`, run `go build`

## Contributing

I am not currently accepting outside contributions.

## License

Copyright © 2021 Drew Short <warricks@sothr.com>

```
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
```

A copy of the license can also be viewed at [LICENSE](LICENSE)