-
Notifications
You must be signed in to change notification settings - Fork 4.6k
add upgrade gcp bom workflow #38711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
derrickaw
wants to merge
10
commits into
master
Choose a base branch
from
20260527_createBOMWorkflow
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+170
−6
Open
add upgrade gcp bom workflow #38711
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
2cb5880
initial draft bom workflow
derrickaw d2a56a5
add temp fix
derrickaw 8ff89af
Document new GCP BOM upgrade workflow in README
derrickaw 30a8343
Fix YAML indentation for push branches trigger
derrickaw 2d9e874
remove tmp push
derrickaw d2cdedf
Rename workflow to Upgrade GCP Libraries BOM
derrickaw e490f90
fix gemini comments
derrickaw f0a34c0
move script logic into bomupgrader.py
derrickaw 2c80735
update workflow logic to only run within 6 days of a release cut
derrickaw 8aa8c56
Merge branch 'master' into 20260527_createBOMWorkflow
derrickaw File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| # Licensed to the Apache Software Foundation (ASF) under one or more | ||
| # contributor license agreements. See the NOTICE file distributed with | ||
| # this work for additional information regarding copyright ownership. | ||
| # The ASF licenses this file to You under the Apache License, Version 2.0 | ||
| # (the "License"); you may not use this file except in compliance with | ||
| # the License. You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| name: Upgrade GCP Libraries BOM | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: "0 0 * * 0" # Weekly on Sundays at 00:00 UTC | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| checks: read | ||
| issues: read | ||
| statuses: read | ||
|
|
||
| concurrency: | ||
| group: '${{ github.workflow }} @ ${{ github.ref }}' | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| upgrade_gcp_bom: | ||
| runs-on: [self-hosted, ubuntu-24.04, main] | ||
| name: Upgrade GCP BOM | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
| - name: Setup environment | ||
| uses: ./.github/actions/setup-environment-action | ||
| with: | ||
| python-version: 3.11 | ||
| java-version: default | ||
| go-version: default | ||
| - name: Check if new BOM is available | ||
| id: check_bom | ||
| run: python3 scripts/tools/bomupgrader.py --check | ||
| - name: Run bomupgrader | ||
| if: steps.check_bom.outputs.should_upgrade == 'true' | ||
| run: python3 scripts/tools/bomupgrader.py ${{ steps.check_bom.outputs.latest_version }} | ||
| - name: Install gh cli | ||
| if: steps.check_bom.outputs.should_upgrade == 'true' | ||
| uses: ./.github/actions/setup-gh-cli-linux | ||
| - name: Set git config | ||
| if: steps.check_bom.outputs.should_upgrade == 'true' | ||
| run: | | ||
| git config user.name $GITHUB_ACTOR | ||
| git config user.email actions@"$RUNNER_NAME".local | ||
| - name: Commit Changes and create PR | ||
| if: steps.check_bom.outputs.should_upgrade == 'true' | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GH_EVENT: ${{ github.event_name }} | ||
| LATEST_VER: ${{ steps.check_bom.outputs.latest_version }} | ||
| CURRENT_VER: ${{ steps.check_bom.outputs.current_version }} | ||
| run: | | ||
| # Take the current date, subtract from a release cut date in the past (June 24, 2026), | ||
| # then get the num days % 42 (our release cadence is 42 days). | ||
| # This will ensure it only runs the week after a release branch has been cut. | ||
| days_diff=$(( ($(date +%s) - $(date --date="260624" +%s) )/(60*60*24)%42 )) | ||
| if [[ $GH_EVENT != 'workflow_dispatch' && $days_diff -gt 6 ]]; then | ||
| echo "Exiting early. We only update dependencies the week after we cut the release" | ||
| exit 0 | ||
| fi | ||
| branchName=upgrade_gcp_bom_${LATEST_VER//./_} | ||
| git checkout -b $branchName | ||
| git add -A | ||
| git diff-index --quiet HEAD || gitdiff=$? || echo $? | ||
| if [[ $gitDiff != 0 ]]; then | ||
| echo "Changes are ready to commit" | ||
| git commit -m "Upgrade GCP Libraries BOM to ${LATEST_VER}" --quiet | ||
| git push origin $branchName --quiet | ||
|
|
||
| PR_BODY="This PR was created by automation. It upgrades the Google Cloud Platform Libraries BOM from **${CURRENT_VER}** to **${LATEST_VER}** and updates Netty, gRPC, Arrow, Gax, Protobuf, and OpenTelemetry versions to match. | ||
|
|
||
| Please review the changes and merge if all tests pass." | ||
|
|
||
| GITHUB_PR_URL=$(gh pr create --title "Upgrade GCP Libraries BOM to ${LATEST_VER}" --body "$PR_BODY" --label "dependencies" --base master) | ||
| echo "Link of the new PR: $GITHUB_PR_URL" | ||
| else | ||
| echo "No changes on the files" | ||
| fi | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Today we only update this right after releases - https://github.com/apache/beam/blob/master/contributor-docs/release-guide.md#update-the-java-bom - this is somewhat intentional since BOM upgrades tend to be:
I think we probably want to keep this behavior.
We could probably do something like what we do for Python dependencies - https://github.com/apache/beam/blob/master/contributor-docs/release-guide.md#update-python-dependencies
At that point, we'd need to:
beam/.github/workflows/update_python_dependencies.yml
Line 87 in 63bcd3d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I knew about the timing, but if I understand the flow of things some package versions that have vulnerabilities are dependent on this BOM being updated. So the main drivers for this workflow are consistently having a weekly upgrade to minimize vulnerabilities, having a process in place so that we don't forget to do the upgrade, and having a workflow if we wanted to at any given point in time just run it and have a new PR ready to go without having to do anything locally.
I will go in the direction you suggest below, but I think in the future we should consider completing this upgrade more often.
Ok, updated. Thanks.