Auto-regenerate gh-aw lock files in renovate PRs#18865
Draft
trask wants to merge 1 commit into
Draft
Conversation
Generalizes the former auto-license-report workflow into a broader auto-post-renovate workflow that regenerates anything Renovate cannot regenerate on its own: - ./gradlew generateLicenseReport (was: existing behavior) - gh aw compile (new), which refreshes .github/aw/actions-lock.json and the *.lock.yml files. The pinned gh-aw CLI version in build-common.yml is also bumped to match whatever gh-aw-actions version Renovate just installed in the lock files. Also adds a customManager to renovate.json5 so Renovate scans the gh-aw workflow source files (.github/workflows/*.md). Without it, Renovate would only edit the generated *.lock.yml files and the next gh aw compile run in auto-post-renovate would revert those edits back to the (unchanged) source SHAs. To make the customManager regex uniform, normalizes pr-review.md from bare tag refs (uses: actions/checkout@v6.0.2) to SHA-pinned-with-comment form (uses: actions/checkout@<sha> # v6.0.2), matching module-cleanup.md and the rest of the repo.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Generalizes the former
auto-license-reportworkflow into a broaderauto-post-renovateworkflow that regenerates anything Renovate cannot regenerate on its own, and teaches Renovate about the gh-aw workflow source files.Background
Renovate manages
.github/workflows/*.lock.ymlvia the built-ingithub-actionsmanager (it rewrites SHA pins inside the generated lock files), but it cannot:gh aw compileto keep.github/aw/actions-lock.jsonand the lock files internally consistent.gh extension install github/gh-aw --pin vX.Y.Zargument inbuild-common.yml(the gh-aw CLI version) to match the newgh-aw-actionsversion..github/workflows/*.md), since Renovate's github-actions manager only scans.yml/.yaml. This meant any SHA Renovate rewrote in a*.lock.ymlwould be reverted on the nextgh aw compilerun.CI failure example: #18850.
Changes
.github/workflows/auto-post-renovate.yml(renamed fromauto-license-report.yml)On every push to a
renovate/**branch, regenerates auto-managed files and pushes any diff back to the Renovate branch:./gradlew generateLicenseReport(existing).gh-aw-actionsversion from*.lock.yml(set by Renovate), sed-replace the matching--pininbuild-common.yml, install that pinned gh-aw CLI, thengh aw compile(without--no-check-update, so it refreshesactions-lock.json)..github/renovate.json5Adds a 4th
customManager(regex,github-tagsdatasource) targeting.github/workflows/*.mdso Renovate seesuses: owner/repo@<sha> # vX.Y.Zreferences in the gh-aw workflow source files. The regex tolerates 3-segment paths likegradle/actions/setup-gradleby collapsing them to theowner/repoform the datasource expects.The existing weekly-update grouping rule already covers
custom.regex, so these PRs are batched into the same weekly bundle as the github-actions/dockerfile updates..github/workflows/pr-review.mdNormalizes 5
uses:lines from bare tag form (actions/checkout@v6.0.2) to SHA-pinned-with-comment form (actions/checkout@<sha> # v6.0.2) so the new customManager regex covers them. The 4 SHAs that already matched the generated lock file are used as-is;upload-artifact@v5is replaced with the pinned v7.0.1 used everywhere else in the repo.End-to-end flow
.mdsource (new customManager) and.lock.yml(built-in manager).auto-post-renovate.ymlrunsgh aw compile. Source already matches what Renovate wrote in the lock files, so the recompile is a no-op for them; onlyactions-lock.jsonand the--pinget updated.check-gh-aw-lockfilespasses.