bump.yml #415
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Check for Cargo dependencies updates, and automatically open a Pull Request | |
| # if updates are found. | |
| name: "bump.yml" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| debug_enabled: | |
| type: "boolean" | |
| description: "Run with tmate enabled" | |
| required: false | |
| default: false | |
| schedule: | |
| # Check for updates at 3:18 am every Monday | |
| # (Avoid midnight so we don't contribute to load spikes) | |
| - cron: "18 3 * * 1" | |
| concurrency: | |
| group: "${{ github.workflow }}:${{ github.ref }}" | |
| cancel-in-progress: true | |
| permissions: | |
| contents: "write" | |
| packages: "read" | |
| id-token: "write" | |
| pull-requests: "write" | |
| jobs: | |
| cargo-upgrades: | |
| runs-on: "lab" | |
| env: | |
| USER: "runner" | |
| steps: | |
| # Use a GitHub App token so that the generated PR can trigger CI | |
| - name: "Generate GitHub App token" | |
| id: "app-token" | |
| uses: "actions/create-github-app-token@v3" | |
| with: | |
| app-id: "${{ secrets.DP_APP_ID }}" | |
| private-key: "${{ secrets.DP_PRIVATE_KEY }}" | |
| - name: "Checkout" | |
| uses: "actions/checkout@v6" | |
| - uses: "./.github/actions/nix-shell" | |
| with: | |
| cachix_signing_key: "${{ secrets.CACHIX_SIGNING_KEY }}" | |
| cachix_auth_token: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
| - name: "nix pin updates" | |
| run: | | |
| set -euo pipefail; | |
| git config user.name "github-actions[bot]" | |
| git config user.email "<224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>" | |
| bash scripts/bump.sh | |
| if ! git diff --quiet; then | |
| git add -u | |
| git commit -sm "bump: pins" | |
| fi | |
| - name: "check-dependencies (pre)" | |
| # Confirm that upstream licenses have not changed in some way that prevents us from using them. | |
| # We want to do this both before and after we run cargo upgrade to make it easier to decide if | |
| # the problem existed before the upgrade ran, or if the license issue was introduced by the | |
| # upgrade itself. | |
| # Similar logic applies to security vulnerabilities but even more so since those, almost by definition, were | |
| # not detected at release time by the upstream project. | |
| # We run our "pre" check with `continue-on-error` set to true because it is equally possible that the upgrade | |
| # _resolves_ the license / security issue we have had / would have had without the upgrade. | |
| run: | | |
| set -euo pipefail; | |
| just check-dependencies | |
| continue-on-error: true | |
| - name: "cargo upgrade" | |
| id: upgrade | |
| run: | | |
| set -euo pipefail; | |
| git config user.name "github-actions[bot]" | |
| git config user.email "<224724778+hedgehog-dataplane-update[bot]@users.noreply.github.com>" | |
| BASE="$(git rev-parse HEAD)" | |
| # Run "cargo update" | |
| echo "::notice::Running cargo update" | |
| cargo update | |
| if ! git diff --quiet; then | |
| echo "Found changes after cargo update, creating commit" | |
| git add Cargo.lock | |
| git commit -sm "bump(cargo)!: bump dependencies (cargo update)" | |
| fi | |
| # Check updates available with "cargo upgrade", | |
| # then bump each package individually through separate commits | |
| echo "::notice::Looking for dependencies to upgrade" | |
| cargo upgrade --incompatible=allow --dry-run | tee upgrade_output.txt | |
| sed "/^====/d; /^name .*old req .*new req/d; s/ .*//" upgrade_output.txt > list_packages.txt | |
| nb_upgrades=$(wc -l < list_packages.txt) | |
| echo "Found the following ${nb_upgrades} upgrade(s) available:" | |
| cat list_packages.txt | |
| echo "::notice::Upgrading packages that need an upgrade (if any), one by one" | |
| while read -r package; do | |
| echo "bump(cargo)!: bump $package (cargo upgrade)" | tee commit_msg.txt | |
| tee -a commit_msg.txt <<<"" | |
| cargo upgrade --incompatible=allow --package "$package" | tee -a commit_msg.txt | |
| git add Cargo.lock Cargo.toml cli/Cargo.toml | |
| git commit -sF commit_msg.txt | |
| done < list_packages.txt | |
| # If we did not create any commits, we do not need to create a PR message | |
| if [[ "$(git rev-parse HEAD)" = "${BASE}" ]]; then | |
| rm -f -- upgrade_output.txt list_packages.txt commit_msg.txt | |
| exit 0 | |
| fi | |
| echo "::notice::We created the following commits:" | |
| git log --reverse -p "${BASE}".. | |
| # Create Pull Request description | |
| echo "### :rocket: Upgrades available" | tee upgrade.log | |
| if [[ "${nb_upgrades}" -ge 1 ]]; then | |
| echo "" | tee -a upgrade.log | |
| echo "\`\`\`" | tee -a upgrade.log | |
| tee -a upgrade.log < upgrade_output.txt | |
| echo "\`\`\`" | tee -a upgrade.log | |
| fi | |
| tee -a upgrade.log <<<"" | |
| tee -a upgrade.log <<<":warning: This Pull Request was automatically generated and should be carefully reviewed before acceptance. It may introduce **breaking changes**." | |
| cat upgrade.log > "${GITHUB_STEP_SUMMARY}" | |
| { | |
| echo "upgrade<<EOF"; | |
| cat upgrade.log; | |
| echo "EOF"; | |
| } >> "${GITHUB_OUTPUT}" | |
| rm -f -- upgrade.log upgrade_output.txt list_packages.txt commit_msg.txt | |
| - name: "check-dependencies (post)" | |
| run: | | |
| set -euo pipefail; | |
| just check-dependencies | |
| - name: "Create Pull Request" | |
| uses: "peter-evans/create-pull-request@v8" | |
| with: | |
| token: "${{ steps.app-token.outputs.token }}" | |
| branch: "bump/cargo-upgrades" | |
| title: "bump(cargo)!: :rocket: upgrades available" | |
| labels: | | |
| automated | |
| dependencies | |
| signoff: "true" | |
| sign-commits: "true" | |
| body: | | |
| ${{ steps.upgrade.outputs.upgrade }} | |
| - name: "Setup tmate session for debug" | |
| if: ${{ failure() && github.event_name == 'workflow_dispatch' && inputs.debug_enabled }} | |
| uses: "mxschmitt/action-tmate@v3" | |
| timeout-minutes: 60 | |
| with: | |
| limit-access-to-actor: true |