Update lockfiles #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update lockfiles | |
| # Generates one committed, checksummed lockfile per test-matrix cell so that CI | |
| # installs are fully pinned (supply-chain hardening). Run manually to create the | |
| # initial lockfiles, and on a schedule to refresh them deliberately. | |
| # | |
| # Each gen-<gem> job derives its cells from that gem's test-matrix.json — the | |
| # single source of truth, shared with the *_test.yml workflows. `options`/RUBYOPT | |
| # don't affect dependency resolution, so they're stripped and cells deduped here | |
| # (one lockfile per cell). | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| # Weekly: refresh pins so we keep getting security patches. | |
| - cron: "0 4 * * 1" | |
| permissions: | |
| contents: write | |
| jobs: | |
| matrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| sentry_ruby: ${{ steps.set.outputs.sentry_ruby }} | |
| sentry_rails: ${{ steps.set.outputs.sentry_rails }} | |
| sentry_sidekiq: ${{ steps.set.outputs.sentry_sidekiq }} | |
| sentry_resque: ${{ steps.set.outputs.sentry_resque }} | |
| sentry_delayed_job: ${{ steps.set.outputs.sentry_delayed_job }} | |
| sentry_opentelemetry: ${{ steps.set.outputs.sentry_opentelemetry }} | |
| sentry_yabeda: ${{ steps.set.outputs.sentry_yabeda }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| # Strip rubyopt (irrelevant to resolution) and dedup, so each cell maps to | |
| # exactly one lockfile artifact (no name collisions on the rubyopt twins). | |
| - id: set | |
| run: | | |
| for gem in sentry-ruby sentry-rails sentry-sidekiq sentry-resque sentry-delayed_job sentry-opentelemetry sentry-yabeda; do | |
| cells=$(jq -c 'map(del(.options)) | unique' "$gem/test-matrix.json") | |
| echo "${gem//-/_}=$cells" >> "$GITHUB_OUTPUT" | |
| done | |
| gen-sentry-ruby: | |
| needs: matrix | |
| name: lock sentry-ruby ${{ matrix.ruby_version }} / rack ${{ matrix.rack_version }} / redis ${{ matrix.redis_rb_version }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| defaults: | |
| run: | |
| working-directory: sentry-ruby | |
| env: | |
| BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-ruby/gemfiles/ruby-${{ matrix.ruby_version }}_rack-${{ matrix.rack_version }}_redis-${{ matrix.redis_rb_version }}.gemfile | |
| RACK_VERSION: ${{ matrix.rack_version }} | |
| REDIS_RB_VERSION: ${{ matrix.redis_rb_version }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.matrix.outputs.sentry_ruby) }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| # Wrapper keys the lock to this cell (<cell>.gemfile -> <cell>.gemfile.lock). | |
| # Must exist before setup-ruby, which errors if BUNDLE_GEMFILE points at a missing file. | |
| - name: Write wrapper gemfile | |
| run: | | |
| mkdir -p gemfiles | |
| echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE" | |
| - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1 | |
| with: | |
| ruby-version: ${{ matrix.ruby_version }} | |
| bundler: latest | |
| bundler-cache: false | |
| - name: Resolve lockfile | |
| run: | | |
| bundle lock --update | |
| # Checksums need Bundler >= 2.5 (Ruby >= 3.0); older Rubies get version pinning only. | |
| bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}" | |
| - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4 | |
| with: | |
| name: lock-sentry-ruby-${{ matrix.ruby_version }}-${{ matrix.rack_version }}-${{ matrix.redis_rb_version }} | |
| # Leading wildcard keeps the repo-relative path (sentry-ruby/gemfiles/...) | |
| # inside the artifact. Only the lock is committed; the wrapper .gemfile is | |
| # regenerated on the fly wherever it's needed. | |
| path: "*/gemfiles/ruby-${{ matrix.ruby_version }}_rack-${{ matrix.rack_version }}_redis-${{ matrix.redis_rb_version }}.gemfile.lock" | |
| if-no-files-found: error | |
| gen-sentry-rails: | |
| needs: matrix | |
| name: lock sentry-rails ${{ matrix.ruby_version }} / rails ${{ matrix.rails_version }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| defaults: | |
| run: | |
| working-directory: sentry-rails | |
| env: | |
| BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-rails/gemfiles/ruby-${{ matrix.ruby_version }}_rails-${{ matrix.rails_version }}.gemfile | |
| RAILS_VERSION: ${{ matrix.rails_version }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.matrix.outputs.sentry_rails) }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| # Wrapper keys the lock to this cell (<cell>.gemfile -> <cell>.gemfile.lock). | |
| # Must exist before setup-ruby, which errors if BUNDLE_GEMFILE points at a missing file. | |
| - name: Write wrapper gemfile | |
| run: | | |
| mkdir -p gemfiles | |
| echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE" | |
| - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1 | |
| with: | |
| ruby-version: ${{ matrix.ruby_version }} | |
| bundler: latest | |
| bundler-cache: false | |
| - name: Resolve lockfile | |
| run: | | |
| bundle lock --update | |
| bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}" | |
| - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4 | |
| with: | |
| name: lock-sentry-rails-${{ matrix.ruby_version }}-${{ matrix.rails_version }} | |
| path: "*/gemfiles/ruby-${{ matrix.ruby_version }}_rails-${{ matrix.rails_version }}.gemfile.lock" | |
| if-no-files-found: error | |
| gen-sentry-sidekiq: | |
| needs: matrix | |
| name: lock sentry-sidekiq ${{ matrix.ruby_version }} / sidekiq ${{ matrix.sidekiq_version }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| defaults: | |
| run: | |
| working-directory: sentry-sidekiq | |
| env: | |
| BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-sidekiq/gemfiles/ruby-${{ matrix.ruby_version }}_sidekiq-${{ matrix.sidekiq_version }}.gemfile | |
| SIDEKIQ_VERSION: ${{ matrix.sidekiq_version }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.matrix.outputs.sentry_sidekiq) }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| # Wrapper keys the lock to this cell (<cell>.gemfile -> <cell>.gemfile.lock). | |
| # Must exist before setup-ruby, which errors if BUNDLE_GEMFILE points at a missing file. | |
| - name: Write wrapper gemfile | |
| run: | | |
| mkdir -p gemfiles | |
| echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE" | |
| - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1 | |
| with: | |
| ruby-version: ${{ matrix.ruby_version }} | |
| bundler: latest | |
| bundler-cache: false | |
| - name: Resolve lockfile | |
| run: | | |
| bundle lock --update | |
| bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}" | |
| - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4 | |
| with: | |
| name: lock-sentry-sidekiq-${{ matrix.ruby_version }}-${{ matrix.sidekiq_version }} | |
| path: "*/gemfiles/ruby-${{ matrix.ruby_version }}_sidekiq-${{ matrix.sidekiq_version }}.gemfile.lock" | |
| if-no-files-found: error | |
| gen-sentry-resque: | |
| needs: matrix | |
| name: lock sentry-resque ${{ matrix.ruby_version }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| defaults: | |
| run: | |
| working-directory: sentry-resque | |
| env: | |
| BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-resque/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.matrix.outputs.sentry_resque) }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| # Wrapper keys the lock to this cell (<cell>.gemfile -> <cell>.gemfile.lock). | |
| # Must exist before setup-ruby, which errors if BUNDLE_GEMFILE points at a missing file. | |
| - name: Write wrapper gemfile | |
| run: | | |
| mkdir -p gemfiles | |
| echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE" | |
| - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1 | |
| with: | |
| ruby-version: ${{ matrix.ruby_version }} | |
| bundler: latest | |
| bundler-cache: false | |
| - name: Resolve lockfile | |
| run: | | |
| bundle lock --update | |
| bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}" | |
| - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4 | |
| with: | |
| name: lock-sentry-resque-${{ matrix.ruby_version }} | |
| path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile.lock" | |
| if-no-files-found: error | |
| gen-sentry-delayed_job: | |
| needs: matrix | |
| name: lock sentry-delayed_job ${{ matrix.ruby_version }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| defaults: | |
| run: | |
| working-directory: sentry-delayed_job | |
| env: | |
| BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-delayed_job/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.matrix.outputs.sentry_delayed_job) }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| # Wrapper keys the lock to this cell (<cell>.gemfile -> <cell>.gemfile.lock). | |
| # Must exist before setup-ruby, which errors if BUNDLE_GEMFILE points at a missing file. | |
| - name: Write wrapper gemfile | |
| run: | | |
| mkdir -p gemfiles | |
| echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE" | |
| - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1 | |
| with: | |
| ruby-version: ${{ matrix.ruby_version }} | |
| bundler: latest | |
| bundler-cache: false | |
| - name: Resolve lockfile | |
| run: | | |
| bundle lock --update | |
| bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}" | |
| - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4 | |
| with: | |
| name: lock-sentry-delayed_job-${{ matrix.ruby_version }} | |
| path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile.lock" | |
| if-no-files-found: error | |
| gen-sentry-opentelemetry: | |
| needs: matrix | |
| name: lock sentry-opentelemetry ${{ matrix.ruby_version }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| defaults: | |
| run: | |
| working-directory: sentry-opentelemetry | |
| env: | |
| BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-opentelemetry/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.matrix.outputs.sentry_opentelemetry) }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| # Wrapper keys the lock to this cell (<cell>.gemfile -> <cell>.gemfile.lock). | |
| # Must exist before setup-ruby, which errors if BUNDLE_GEMFILE points at a missing file. | |
| - name: Write wrapper gemfile | |
| run: | | |
| mkdir -p gemfiles | |
| echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE" | |
| - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1 | |
| with: | |
| ruby-version: ${{ matrix.ruby_version }} | |
| bundler: latest | |
| bundler-cache: false | |
| - name: Resolve lockfile | |
| run: | | |
| bundle lock --update | |
| bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}" | |
| - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4 | |
| with: | |
| name: lock-sentry-opentelemetry-${{ matrix.ruby_version }} | |
| path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile.lock" | |
| if-no-files-found: error | |
| gen-sentry-yabeda: | |
| needs: matrix | |
| name: lock sentry-yabeda ${{ matrix.ruby_version }} | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| defaults: | |
| run: | |
| working-directory: sentry-yabeda | |
| env: | |
| BUNDLE_GEMFILE: ${{ github.workspace }}/sentry-yabeda/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.matrix.outputs.sentry_yabeda) }} | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| # Wrapper keys the lock to this cell (<cell>.gemfile -> <cell>.gemfile.lock). | |
| # Must exist before setup-ruby, which errors if BUNDLE_GEMFILE points at a missing file. | |
| - name: Write wrapper gemfile | |
| run: | | |
| mkdir -p gemfiles | |
| echo 'eval_gemfile "../Gemfile"' > "$BUNDLE_GEMFILE" | |
| - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1 | |
| with: | |
| ruby-version: ${{ matrix.ruby_version }} | |
| bundler: latest | |
| bundler-cache: false | |
| - name: Resolve lockfile | |
| run: | | |
| bundle lock --update | |
| bundle lock --add-checksums || echo "::warning::--add-checksums unsupported on $(bundle --version); version pinning only for ${{ matrix.ruby_version }}" | |
| - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4 | |
| with: | |
| name: lock-sentry-yabeda-${{ matrix.ruby_version }} | |
| path: "*/gemfiles/ruby-${{ matrix.ruby_version }}.gemfile.lock" | |
| if-no-files-found: error | |
| commit: | |
| needs: | |
| - gen-sentry-ruby | |
| - gen-sentry-rails | |
| - gen-sentry-sidekiq | |
| - gen-sentry-resque | |
| - gen-sentry-delayed_job | |
| - gen-sentry-opentelemetry | |
| - gen-sentry-yabeda | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # Each artifact carries its repo-relative path, so merging them straight into | |
| # the workspace lands every pair back at <gem>/gemfiles/ — no routing. | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 | |
| with: | |
| merge-multiple: true | |
| - name: Configure git | |
| run: | | |
| git config user.name 'github-actions[bot]' | |
| git config user.email '41898282+github-actions[bot]@users.noreply.github.com' | |
| - name: Create branch | |
| id: create-branch | |
| run: | | |
| # Stage first, then diff the index against HEAD. `git diff` alone only | |
| # sees tracked files, so newly generated (untracked) pairs — i.e. the | |
| # bootstrap run and any filled-in missing cell — would otherwise look | |
| # like "no change" and never get pushed. | |
| git add '**/gemfiles/*.gemfile.lock' | |
| if git diff --cached --quiet; then | |
| echo "No lockfile changes; nothing to do." | |
| echo "changed=false" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| COMMIT_TITLE="ci: 🤖 Update pinned CI lockfiles" | |
| BRANCH_NAME="lockfiles/update-$(date +%m-%d)" | |
| git checkout -B "$BRANCH_NAME" | |
| git commit -m "$COMMIT_TITLE" | |
| git push origin "$BRANCH_NAME" --force | |
| echo "changed=true" >> "$GITHUB_OUTPUT" | |
| echo "branch_name=$BRANCH_NAME" >> "$GITHUB_OUTPUT" | |
| echo "commit_title=$COMMIT_TITLE" >> "$GITHUB_OUTPUT" | |
| - name: Create pull request | |
| if: steps.create-branch.outputs.changed == 'true' | |
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | |
| env: | |
| BRANCH_NAME: ${{ steps.create-branch.outputs.branch_name }} | |
| COMMIT_TITLE: ${{ steps.create-branch.outputs.commit_title }} | |
| with: | |
| script: | | |
| const branchName = process.env.BRANCH_NAME; | |
| const commitTitle = process.env.COMMIT_TITLE; | |
| const prBody = `Automated regeneration of the per-matrix lockfiles used to pin CI dependencies (supply-chain hardening). | |
| #skip-changelog | |
| ## Action required | |
| - If CI passes on this PR, it's safe to approve and merge: the refreshed pins resolve and the suite is green. | |
| - If CI fails, a dependency update broke something — investigate before merging. | |
| _🤖 This PR was automatically created by [.github/workflows/update_lockfiles.yml](https://github.com/getsentry/sentry-ruby/blob/master/.github/workflows/update_lockfiles.yml)._`.replace(/^ {12}/gm, ''); | |
| // Close stale lockfile PRs — they're now obsolete. | |
| const existingPRs = await github.paginate(github.rest.pulls.list, { | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| state: 'open', | |
| }); | |
| for (const pr of existingPRs) { | |
| if (pr.head.ref.startsWith('lockfiles/')) { | |
| await github.rest.pulls.update({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| pull_number: pr.number, | |
| state: 'closed', | |
| }); | |
| } | |
| } | |
| await github.rest.pulls.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: commitTitle, | |
| head: branchName, | |
| base: 'master', | |
| body: prBody, | |
| }); |