-
Notifications
You must be signed in to change notification settings - Fork 9
165 lines (143 loc) · 6.09 KB
/
bump.yml
File metadata and controls
165 lines (143 loc) · 6.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# Check for Cargo dependencies updates, and automatically open a Pull Request
# if updates are found.
name: "bump.yml"
on:
workflow_dispatch:
inputs:
debug_enabled:
type: "boolean"
description: "Run with tmate enabled"
required: false
default: false
schedule:
# Check for updates at 3:18 am every Monday
# (Avoid midnight so we don't contribute to load spikes)
- cron: "18 3 * * 1"
concurrency:
group: "${{ github.workflow }}:${{ github.ref }}"
cancel-in-progress: true
permissions:
contents: "write"
packages: "read"
id-token: "write"
pull-requests: "write"
jobs:
cargo-upgrades:
runs-on: "lab"
env:
USER: "runner"
steps:
# Use a GitHub App token so that the generated PR can trigger CI
- name: "Generate GitHub App token"
id: "app-token"
uses: "actions/create-github-app-token@v3"
with:
app-id: "${{ secrets.DP_APP_ID }}"
private-key: "${{ secrets.DP_PRIVATE_KEY }}"
- name: "Checkout"
uses: "actions/checkout@v6"
- uses: "./.github/actions/nix-shell"
with:
cachix_signing_key: "${{ secrets.CACHIX_SIGNING_KEY }}"
cachix_auth_token: "${{ secrets.CACHIX_AUTH_TOKEN }}"
- name: "nix pin updates"
run: |
set -euo pipefail;
git config user.name "github-actions[bot]"
git config user.email "<224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>"
bash scripts/bump.sh
if ! git diff --quiet; then
git add -u
git commit -sm "bump: pins"
fi
- name: "check-dependencies (pre)"
# Confirm that upstream licenses have not changed in some way that prevents us from using them.
# We want to do this both before and after we run cargo upgrade to make it easier to decide if
# the problem existed before the upgrade ran, or if the license issue was introduced by the
# upgrade itself.
# Similar logic applies to security vulnerabilities but even more so since those, almost by definition, were
# not detected at release time by the upstream project.
# We run our "pre" check with `continue-on-error` set to true because it is equally possible that the upgrade
# _resolves_ the license / security issue we have had / would have had without the upgrade.
run: |
set -euo pipefail;
just check-dependencies
continue-on-error: true
- name: "cargo upgrade"
id: upgrade
run: |
set -euo pipefail;
git config user.name "github-actions[bot]"
git config user.email "<224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>"
BASE="$(git rev-parse HEAD)"
# Run "cargo update"
echo "::notice::Running cargo update"
cargo update
if ! git diff --quiet; then
echo "Found changes after cargo update, creating commit"
git add Cargo.lock
git commit -sm "bump(cargo)!: bump dependencies (cargo update)"
fi
# Check updates available with "cargo upgrade",
# then bump each package individually through separate commits
echo "::notice::Looking for dependencies to upgrade"
cargo upgrade --incompatible=allow --dry-run | tee upgrade_output.txt
sed "/^====/d; /^name .*old req .*new req/d; s/ .*//" upgrade_output.txt > list_packages.txt
nb_upgrades=$(wc -l < list_packages.txt)
echo "Found the following ${nb_upgrades} upgrade(s) available:"
cat list_packages.txt
echo "::notice::Upgrading packages that need an upgrade (if any), one by one"
while read -r package; do
echo "bump(cargo)!: bump $package (cargo upgrade)" | tee commit_msg.txt
tee -a commit_msg.txt <<<""
cargo upgrade --incompatible=allow --package "$package" | tee -a commit_msg.txt
git add Cargo.lock Cargo.toml cli/Cargo.toml
git commit -sF commit_msg.txt
done < list_packages.txt
# If we did not create any commits, we do not need to create a PR message
if [[ "$(git rev-parse HEAD)" = "${BASE}" ]]; then
rm -f -- upgrade_output.txt list_packages.txt commit_msg.txt
exit 0
fi
echo "::notice::We created the following commits:"
git log --reverse -p "${BASE}"..
# Create Pull Request description
echo "### :rocket: Upgrades available" | tee upgrade.log
if [[ "${nb_upgrades}" -ge 1 ]]; then
echo "" | tee -a upgrade.log
echo "\`\`\`" | tee -a upgrade.log
tee -a upgrade.log < upgrade_output.txt
echo "\`\`\`" | tee -a upgrade.log
fi
tee -a upgrade.log <<<""
tee -a upgrade.log <<<":warning: This Pull Request was automatically generated and should be carefully reviewed before acceptance. It may introduce **breaking changes**."
cat upgrade.log > "${GITHUB_STEP_SUMMARY}"
{
echo "upgrade<<EOF";
cat upgrade.log;
echo "EOF";
} >> "${GITHUB_OUTPUT}"
rm -f -- upgrade.log upgrade_output.txt list_packages.txt commit_msg.txt
- name: "check-dependencies (post)"
run: |
set -euo pipefail;
just check-dependencies
- name: "Create Pull Request"
uses: "peter-evans/create-pull-request@v8"
with:
token: "${{ steps.app-token.outputs.token }}"
branch: "bump/cargo-upgrades"
title: "bump(cargo)!: :rocket: upgrades available"
labels: |
automated
dependencies
signoff: "true"
sign-commits: "true"
body: |
${{ steps.upgrade.outputs.upgrade }}
- name: "Setup tmate session for debug"
if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
uses: "mxschmitt/action-tmate@v3"
timeout-minutes: 60
with:
limit-access-to-actor: true