aws-deepdive/.github/workflows/daily-update.yml at main · 0-draft/aws-deepdive · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: daily-update

on:
  schedule:
    - cron: '0 6 * * *'
  workflow_dispatch:

permissions:
  contents: write

jobs:
  update:
    strategy:
      fail-fast: false
      matrix:
        track: [iam, security, whats-new, releases]
    runs-on: ubuntu-latest
    concurrency:
      group: update-${{ matrix.track }}
      cancel-in-progress: false
    steps:
      - uses: actions/checkout@v6
        with:
          # Pin to main so a workflow_dispatch from a feature branch can't
          # publish data based on non-main code (the commit still lands on main).
          ref: main
          # Don't persist any token in .git/config: the pipeline step below runs
          # repo/third-party code, and the admin PAT must not be readable by it.
          # The PAT is applied inline only in the commit/push step.
          persist-credentials: false
      - uses: actions/setup-python@v6
        with:
          python-version: '3.12'
          cache: pip
          cache-dependency-path: requirements.txt
      - run: pip install -r requirements.txt
      - name: Run pipeline
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: make -C tracks/${{ matrix.track }} update
      - name: Commit and push
        env:
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
        run: |
          git config user.name  'github-actions[bot]'
          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
          git add tracks/${{ matrix.track }}
          if git diff --staged --quiet; then
            echo "No changes."
            exit 0
          fi
          git commit -m "chore(${{ matrix.track }}): daily update $(date -u +%Y-%m-%d)"
          # Inline auth (never written to .git/config) with an admin PAT that the
          # `main` ruleset bypasses; a PAT push also lets deploy-pages fire, which
          # GITHUB_TOKEN pushes can't (workflow-recursion guard).
          remote="https://x-access-token:${BOT_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
          for i in 1 2 3 4 5; do
            if git pull --rebase "$remote" main && git push "$remote" HEAD:main; then
              exit 0
            fi
            sleep $((i * 5))
          done
          exit 1