-
Notifications
You must be signed in to change notification settings - Fork 2
476 lines (441 loc) · 18 KB
/
weekly-update.yml
File metadata and controls
476 lines (441 loc) · 18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
name: 🔄 Weekly Update
# Reusable weekly-update workflow for socket-* repos.
#
# Each consumer repo's `.github/workflows/weekly-update.yml` becomes a thin
# delegator that invokes this workflow. The actual update logic lives in the
# consumer repo's `/updating` skill, which this workflow calls via Claude Code.
#
# The `/updating` skill is the umbrella — it reads repo state (presence of
# `xport.json`, `.gitmodules`) and delegates to `updating-xport` /
# `updating-upstream` / `updating-workflows` as applicable.
#
# Dependencies:
# - SocketDev/socket-registry/.github/actions/setup-and-install
# - SocketDev/socket-registry/.github/actions/setup-git-signing
# - SocketDev/socket-registry/.github/actions/cleanup-git-signing
on:
workflow_call:
inputs:
branch-prefix:
description: 'Branch name prefix for the PR branch (date suffix added automatically)'
required: false
type: string
default: 'weekly-update'
check-timeout-minutes:
description: 'Timeout for the check-updates job'
required: false
type: number
default: 10
checkout-fetch-depth:
description: 'Fetch depth for checkout (0 = full history; recommended for submodule drift analysis)'
required: false
type: string
default: '0'
checkout-submodules:
description: 'Submodule init mode: "false" (no submodules), "true" (top-level only), or "recursive"'
required: false
type: string
default: 'false'
fix-model:
description: 'Claude model for the fix-test-failures step (escalation after haiku update)'
required: false
type: string
default: 'sonnet'
fix-timeout-minutes:
description: 'Timeout for the fix-test-failures step'
required: false
type: number
default: 15
pr-base:
description: 'Base branch for the PR'
required: false
type: string
default: 'main'
pr-body-extra:
description: 'Optional markdown appended to the PR body (e.g., cross-linked PR references for cascade tracking)'
required: false
type: string
default: ''
pr-title-prefix:
description: 'PR title prefix (date suffix added automatically: "... (YYYY-MM-DD)")'
required: false
type: string
default: 'chore(deps): weekly dependency update'
test-setup-script:
description: 'Command to run before tests (e.g., "pnpm run build")'
required: false
type: string
default: 'pnpm run build'
test-script:
description: 'Test command'
required: false
type: string
default: 'pnpm test'
test-timeout-minutes:
description: 'Timeout for the test step'
required: false
type: number
default: 15
update-model:
description: 'Claude model for the update step'
required: false
type: string
default: 'haiku'
update-timeout-minutes:
description: 'Timeout for the update step'
required: false
type: number
default: 10
updating-skill:
description: 'Skill to invoke for the update. Defaults to the /updating umbrella.'
required: false
type: string
default: 'updating'
validate-file-patterns:
description: 'Shell case-glob patterns (pipe-separated) of file paths allowed to change during the update. Default covers npm + submodules + xport manifest; add source patterns for repos that auto-fix source.'
required: false
type: string
default: 'package.json|*/package.json|pnpm-lock.yaml|*/pnpm-lock.yaml|.npmrc|pnpm-workspace.yaml|.gitmodules|xport.json'
secrets:
ANTHROPIC_API_KEY:
description: 'Anthropic API key for Claude Code invocations'
required: true
BOT_GPG_PRIVATE_KEY:
description: 'GPG private key for signing commits'
required: true
SOCKET_API_KEY:
description: 'Socket API key — sfw-enterprise instead of sfw-free when provided'
required: false
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: false
jobs:
check-updates:
name: Check for updates
runs-on: ubuntu-latest
permissions:
contents: read
timeout-minutes: ${{ inputs.check-timeout-minutes }}
outputs:
has-updates: ${{ steps.check.outputs.has-updates }}
steps:
- uses: SocketDev/socket-registry/.github/actions/setup-and-install@e8e253975a55a519be7e4b520d83a33f52c0b1a4 # main
with:
socket-api-key: ${{ secrets.SOCKET_API_TOKEN }}
- name: Check for actionable updates
id: check
shell: bash
run: |
HAS_UPDATES=false
# npm outdated check
if pnpm outdated 2>/dev/null | grep -qv "No outdated"; then
HAS_UPDATES=true
fi
# xport drift check (exit code 2 = drift; 0 = clean; 1 = schema error)
if [ -f xport.json ]; then
set +e
pnpm run xport --json > /tmp/xport-report.json 2>&1
XPORT_EXIT=$?
set -e
if [ "$XPORT_EXIT" = "2" ]; then
HAS_UPDATES=true
fi
fi
# Plain submodule check (for repos without xport)
if [ -f .gitmodules ] && [ ! -f xport.json ]; then
# Any submodule with upstream commits past its current pin?
while IFS= read -r SM; do
(cd "$SM" && git fetch origin --tags --quiet 2>/dev/null || true)
BEHIND=$(cd "$SM" && git rev-list --count HEAD..origin/HEAD 2>/dev/null || echo 0)
if [ "$BEHIND" -gt 0 ]; then
HAS_UPDATES=true
break
fi
done < <(git config --file .gitmodules --get-regexp path | awk '{print $2}')
fi
echo "has-updates=$HAS_UPDATES" >> $GITHUB_OUTPUT
apply-updates:
name: Apply updates via /updating skill
needs: check-updates
if: needs.check-updates.outputs.has-updates == 'true'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: SocketDev/socket-registry/.github/actions/setup-and-install@e8e253975a55a519be7e4b520d83a33f52c0b1a4 # main
with:
checkout-fetch-depth: ${{ inputs.checkout-fetch-depth }}
socket-api-key: ${{ secrets.SOCKET_API_TOKEN }}
- name: Initialize submodules
if: inputs.checkout-submodules != 'false'
shell: bash
env:
SUBMODULES: ${{ inputs.checkout-submodules }}
run: |
if [ "$SUBMODULES" = "recursive" ]; then
git submodule update --init --recursive
else
git submodule update --init
fi
- name: Create update branch
id: branch
env:
GH_TOKEN: ${{ github.token }}
REPO: ${{ github.repository }}
BRANCH_PREFIX: ${{ inputs.branch-prefix }}
run: |
BRANCH_NAME="${BRANCH_PREFIX}-$(date +%Y%m%d)"
git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git"
git checkout -b "$BRANCH_NAME"
echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
- uses: SocketDev/socket-registry/.github/actions/setup-git-signing@e8e253975a55a519be7e4b520d83a33f52c0b1a4 # main
with:
gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
- name: Run /updating skill
id: update
timeout-minutes: ${{ inputs.update-timeout-minutes }}
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
GITHUB_ACTIONS: 'true'
UPDATE_MODEL: ${{ inputs.update-model }}
UPDATING_SKILL: ${{ inputs.updating-skill }}
run: |
if [ -z "$ANTHROPIC_API_KEY" ]; then
echo "ANTHROPIC_API_KEY not set — aborting"
echo "success=false" >> $GITHUB_OUTPUT
exit 1
fi
set +e
# Lockdown — see .claude/skills/programmatic-claude-lockdown/SKILL.md.
# Four-flag pattern from https://code.claude.com/docs/en/agent-sdk/permissions:
# tools (base set) + allowedTools (auto-approve) + disallowedTools
# (deny-first) + permission-mode dontAsk (deny unmatched).
DISALLOW_BASE='Agent Task NotebookEdit WebFetch WebSearch Bash(curl:*) Bash(wget:*) Bash(rm -rf*) Bash(sudo:*)'
DISALLOW_PKG_EXEC='Bash(npx:*) Bash(pnpm dlx:*) Bash(yarn dlx:*)' # zizmor: documentation-prohibition
claude --print \
--tools "Bash" "Read" "Write" "Edit" "Glob" "Grep" \
--allowedTools "Bash(pnpm:*)" "Bash(git:*)" "Bash(jq:*)" "Read" "Write" "Edit" "Glob" "Grep" \
--disallowedTools $DISALLOW_BASE $DISALLOW_PKG_EXEC \
--permission-mode dontAsk \
--model "$UPDATE_MODEL" \
--max-turns 25 \
"/$UPDATING_SKILL — Run the $UPDATING_SKILL skill to update everything applicable to this repo (npm, xport, submodules, workflow pins). CI mode: skip builds/tests. Create atomic commits. Do NOT push or create a PR; this workflow handles that." \
2>&1 | tee claude-update.log
CLAUDE_EXIT=${PIPESTATUS[0]}
set -e
if [ "$CLAUDE_EXIT" -eq 0 ]; then
echo "success=true" >> $GITHUB_OUTPUT
else
echo "success=false" >> $GITHUB_OUTPUT
fi
- name: Run tests
id: tests
if: steps.update.outputs.success == 'true'
timeout-minutes: ${{ inputs.test-timeout-minutes }}
env:
TEST_SETUP_SCRIPT: ${{ inputs.test-setup-script }}
TEST_SCRIPT: ${{ inputs.test-script }}
run: |
set +e
if [ -n "$TEST_SETUP_SCRIPT" ]; then
bash -c "$TEST_SETUP_SCRIPT" 2>&1 | tee build-output.log
BUILD_EXIT=${PIPESTATUS[0]}
else
BUILD_EXIT=0
: > build-output.log
fi
bash -c "$TEST_SCRIPT" 2>&1 | tee test-output.log
TEST_EXIT=${PIPESTATUS[0]}
set -e
if [ "$BUILD_EXIT" -eq 0 ] && [ "$TEST_EXIT" -eq 0 ]; then
echo "success=true" >> $GITHUB_OUTPUT
else
echo "success=false" >> $GITHUB_OUTPUT
{
echo "BUILD_LOG<<GHEOF"
tail -100 build-output.log
echo "GHEOF"
echo "TEST_LOG<<GHEOF"
tail -100 test-output.log
echo "GHEOF"
} >> $GITHUB_OUTPUT
fi
- name: Fix test failures
id: fix
if: steps.update.outputs.success == 'true' && steps.tests.outputs.success == 'false'
timeout-minutes: ${{ inputs.fix-timeout-minutes }}
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
GITHUB_ACTIONS: 'true'
FIX_MODEL: ${{ inputs.fix-model }}
BUILD_LOG: ${{ steps.tests.outputs.BUILD_LOG }}
TEST_LOG: ${{ steps.tests.outputs.TEST_LOG }}
run: |
set +e
# Lockdown — same shape as the /updating step above.
# See .claude/skills/programmatic-claude-lockdown/SKILL.md.
DISALLOW_BASE='Agent Task NotebookEdit WebFetch WebSearch Bash(curl:*) Bash(wget:*) Bash(rm -rf*) Bash(sudo:*)'
DISALLOW_PKG_EXEC='Bash(npx:*) Bash(pnpm dlx:*) Bash(yarn dlx:*)' # zizmor: documentation-prohibition
claude --print \
--tools "Bash" "Read" "Write" "Edit" "Glob" "Grep" \
--allowedTools "Bash(pnpm:*)" "Bash(git:*)" "Read" "Write" "Edit" "Glob" "Grep" \
--disallowedTools $DISALLOW_BASE $DISALLOW_PKG_EXEC \
--permission-mode dontAsk \
--model "$FIX_MODEL" \
--max-turns 25 \
"Dependency updates were applied but tests are failing. Fix the failures and commit fixes atomically. Do NOT push or create a PR.
Build output (last 100 lines):
$BUILD_LOG
Test output (last 100 lines):
$TEST_LOG" \
2>&1 | tee claude-fix.log
FIX_EXIT=${PIPESTATUS[0]}
set -e
if [ "$FIX_EXIT" -eq 0 ]; then
echo "success=true" >> $GITHUB_OUTPUT
else
echo "success=false" >> $GITHUB_OUTPUT
fi
- name: Set final status
id: final
if: always()
env:
UPDATE_SUCCESS: ${{ steps.update.outputs.success }}
TESTS_SUCCESS: ${{ steps.tests.outputs.success }}
FIX_SUCCESS: ${{ steps.fix.outputs.success }}
run: |
if [ "$UPDATE_SUCCESS" != "true" ]; then
echo "success=false" >> $GITHUB_OUTPUT
echo "reason=update-failed" >> $GITHUB_OUTPUT
elif [ "$TESTS_SUCCESS" = "true" ]; then
echo "success=true" >> $GITHUB_OUTPUT
echo "reason=tests-passed" >> $GITHUB_OUTPUT
elif [ "$FIX_SUCCESS" = "true" ]; then
echo "success=true" >> $GITHUB_OUTPUT
echo "reason=fixes-applied" >> $GITHUB_OUTPUT
else
echo "success=false" >> $GITHUB_OUTPUT
echo "reason=fixes-failed" >> $GITHUB_OUTPUT
fi
- name: Validate changes
id: validate
if: steps.final.outputs.success == 'true'
env:
VALIDATE_PATTERNS: ${{ inputs.validate-file-patterns }}
PR_BASE: ${{ inputs.pr-base }}
run: |
UNEXPECTED=""
# Build a case-glob test from pipe-separated patterns
PATTERNS=$(echo "$VALIDATE_PATTERNS" | tr '|' ' ')
for file in $(git diff --name-only "origin/${PR_BASE}..HEAD"); do
MATCH=false
for pat in $PATTERNS; do
case "$file" in
$pat) MATCH=true; break ;;
esac
done
[ "$MATCH" = "false" ] && UNEXPECTED="$UNEXPECTED $file"
done
if [ -n "$UNEXPECTED" ]; then
echo "::warning::Non-allowlisted files modified:$UNEXPECTED"
fi
echo "valid=true" >> $GITHUB_OUTPUT
- name: Check for changes
id: changes
env:
PR_BASE: ${{ inputs.pr-base }}
run: |
if [ "$(git rev-list --count HEAD "^origin/${PR_BASE}")" -gt 0 ]; then
echo "has-changes=true" >> $GITHUB_OUTPUT
else
echo "has-changes=false" >> $GITHUB_OUTPUT
fi
- name: Push branch
if: steps.final.outputs.success == 'true' && steps.validate.outputs.valid == 'true' && steps.changes.outputs.has-changes == 'true'
env:
BRANCH_NAME: ${{ steps.branch.outputs.branch }}
run: git push origin "$BRANCH_NAME"
- name: Create pull request
if: steps.final.outputs.success == 'true' && steps.validate.outputs.valid == 'true' && steps.changes.outputs.has-changes == 'true'
env:
GH_TOKEN: ${{ github.token }}
BRANCH_NAME: ${{ steps.branch.outputs.branch }}
PR_TITLE_PREFIX: ${{ inputs.pr-title-prefix }}
PR_BASE: ${{ inputs.pr-base }}
PR_BODY_EXTRA: ${{ inputs.pr-body-extra }}
run: |
COMMITS=$(git log --oneline origin/${PR_BASE}..HEAD)
COMMIT_COUNT=$(git rev-list --count origin/${PR_BASE}..HEAD)
PR_BODY="## Weekly Update"$'\n\n'
PR_BODY+="Automated weekly update — runs the \`/updating\` skill umbrella (npm + xport + submodules + workflow pins)."$'\n\n'
if [ -n "$PR_BODY_EXTRA" ]; then
PR_BODY+="$PR_BODY_EXTRA"$'\n\n'
fi
PR_BODY+="---"$'\n\n'
PR_BODY+="### Commits (${COMMIT_COUNT})"$'\n\n'
PR_BODY+="<details><summary>View commit history</summary>"$'\n\n'
PR_BODY+="\`\`\`"$'\n'
PR_BODY+="${COMMITS}"$'\n'
PR_BODY+="\`\`\`"$'\n\n'
PR_BODY+="</details>"$'\n\n'
PR_BODY+="---"$'\n\n'
PR_BODY+="<sub>Generated by SocketDev/socket-registry weekly-update.yml reusable workflow.</sub>"
gh pr create \
--title "${PR_TITLE_PREFIX} ($(date +%Y-%m-%d))" \
--body "$PR_BODY" \
--draft \
--head "$BRANCH_NAME" \
--base "$PR_BASE"
- name: Add job summary
if: always()
env:
BRANCH_NAME: ${{ steps.branch.outputs.branch }}
FINAL_REASON: ${{ steps.final.outputs.reason }}
HAS_CHANGES: ${{ steps.changes.outputs.has-changes }}
PR_BASE: ${{ inputs.pr-base }}
run: |
echo "## Weekly Update" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "$HAS_CHANGES" = "true" ]; then
COMMIT_COUNT=$(git rev-list --count "origin/${PR_BASE}..HEAD" 2>/dev/null || echo 0)
echo "**Branch:** \`${BRANCH_NAME}\`" >> $GITHUB_STEP_SUMMARY
echo "**Commits:** ${COMMIT_COUNT}" >> $GITHUB_STEP_SUMMARY
echo "**Status:** ${FINAL_REASON}" >> $GITHUB_STEP_SUMMARY
else
echo "No changes to apply." >> $GITHUB_STEP_SUMMARY
fi
- name: Upload Claude logs
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: claude-weekly-update-${{ github.run_id }}
path: |
claude-update.log
claude-fix.log
build-output.log
test-output.log
retention-days: 7
if-no-files-found: ignore
- uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@e8e253975a55a519be7e4b520d83a33f52c0b1a4 # main
if: always()
notify:
name: Notify
needs: [check-updates, apply-updates]
if: always()
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Report
env:
HAS_UPDATES: ${{ needs.check-updates.outputs.has-updates }}
APPLY_RESULT: ${{ needs.apply-updates.result }}
run: |
if [ "$HAS_UPDATES" = "true" ]; then
echo "Weekly update workflow completed (apply-updates: $APPLY_RESULT)"
else
echo "No updates available — all dependencies up to date."
fi