documentation/.github/workflows/auto_updates.yml at main · phylum-dev/documentation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Workflow for updating Javascript dependencies with npm.
# Major version updates are handled separately, by Dependabot.
---
name: Update Deps

on:
  workflow_dispatch:
  # Run every Monday at 0235 UTC
  schedule:
    - cron: '35 2 * * 1'

jobs:
  workflow-auto-updates:
    name: Update dependencies
    runs-on: ubuntu-latest
    env:
      UPDATE_BRANCH_NAME: workflow-auto-updates
    steps:
      - name: Checkout the repo
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      # This GPG key is for the `phylum-bot` account and used in order to ensure commits are signed/verified
      - name: Import GPG key for bot account
        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
        with:
          gpg_private_key: ${{ secrets.PHYLUM_BOT_GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PHYLUM_BOT_GPG_PASSPHRASE }}
          git_user_signingkey: true
          git_commit_gpgsign: true

      - name: Update Docusaurus Javascript dependencies
        working-directory: ./site
        run: npm update --save

      - name: Commit changes
        id: commit
        # There may not be any updates to commit/push
        continue-on-error: true
        # NOTE: The git user name and email used for commits is already configured,
        #       by the crazy-max/ghaction-import-gpg action.
        run: |
          git commit -a -m "build: bump static site Javascript dependencies"
          git push --force origin HEAD:${{ env.UPDATE_BRANCH_NAME }}

      - name: Create Pull Request
        id: pr
        if: ${{ steps.commit.outcome == 'success' }}
        # The PR may already exist (e.g., created in previous week and not merged yet) so we
        # allow it here and check in the next step so workflow failures will be extraordinary
        continue-on-error: true
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ secrets.GH_RELEASE_PAT }}
          script: |
            const response = await github.rest.pulls.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              head: "${{ env.UPDATE_BRANCH_NAME }}",
              base: context.ref,
              title: "build: bump static site Javascript dependencies",
              body: "Bump dependencies in `site/package-lock.json` for all SemVer-compatible updates.",
            });
            console.log(response);

      - name: Verify PR exists
        if: ${{ steps.pr.outcome == 'failure' }}
        env:
          GH_TOKEN: ${{ github.token }}
        run: gh pr view ${{ env.UPDATE_BRANCH_NAME }}