diff --git a/.github/renovate.json5 b/.github/renovate.json5 index ad5f28e9ef81..91c91c3edf53 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -433,5 +433,25 @@ 'npx (?[^@]+)@(?[^\\s]+)', ], }, + { + // GitHub Actions referenced from gh-aw workflow source files + // (.github/workflows/*.md). Renovate's built-in github-actions + // manager only scans .yml/.yaml; the SHAs Renovate rewrites in + // the generated *.lock.yml files get overwritten on the next + // `gh aw compile` run unless the source .md is updated too. + // + // The depName captures the first two path segments (owner/repo) + // and intentionally discards any trailing subpath + // (e.g. `gradle/actions/setup-gradle` -> `gradle/actions`), + // because the github-tags datasource takes owner/repo only. + customType: 'regex', + datasourceTemplate: 'github-tags', + managerFilePatterns: [ + '.github/workflows/*.md', + ], + matchStrings: [ + 'uses:\\s+(?[\\w.-]+/[\\w.-]+)(?:/[\\w./-]+)?@(?[a-f0-9]{40})\\s+#\\s+(?v[\\d.]+)', + ], + }, ], } diff --git a/.github/workflows/auto-license-report.yml b/.github/workflows/auto-post-renovate.yml similarity index 50% rename from .github/workflows/auto-license-report.yml rename to .github/workflows/auto-post-renovate.yml index d81f19ae2caf..a38c81c69429 100644 --- a/.github/workflows/auto-license-report.yml +++ b/.github/workflows/auto-post-renovate.yml @@ -1,4 +1,20 @@ -name: Auto license report +name: Auto post-renovate +# Regenerates files that Renovate cannot regenerate on its own. Renovate +# updates version strings (e.g. action SHA pins, dependency versions), +# but a few artifacts in this repo are produced by tools that have to be +# re-run to stay consistent: +# +# * `licenses/` is generated by `./gradlew generateLicenseReport`. +# * `.github/workflows/*.lock.yml` and `.github/aw/actions-lock.json` +# are generated by `gh aw compile`. Renovate edits the action SHAs +# *inside* the lock files via the github-actions manager, but cannot +# re-run the compiler, refresh `actions-lock.json`, or bump the +# `gh extension install github/gh-aw --pin vX.Y.Z` argument in +# `build-common.yml`. Those edits live in this workflow. +# +# This workflow runs on every push to a `renovate/**` branch, recomputes +# the auto-generated files, and pushes any resulting diff back to the +# Renovate branch so CI (`check-gh-aw-lockfiles`, etc.) goes green. on: push: branches: @@ -34,6 +50,46 @@ jobs: - name: Update license report run: ./gradlew generateLicenseReport --no-build-cache + # Detect the latest gh-aw-actions version Renovate has installed in the + # generated lock files. The CLI extension (`github/gh-aw`) and the + # actions (`github/gh-aw-actions/*`) ship from the same repo at the + # same version, so we pin the CLI to whatever Renovate picked. + - id: gh-aw-version + name: Detect target gh-aw version + run: | + version=$(grep -hoP 'github/gh-aw-actions/[^@]+@[a-f0-9]+ # \Kv[0-9.]+' \ + .github/workflows/*.lock.yml \ + | sort -V \ + | tail -1) + if [ -z "$version" ]; then + echo "could not detect gh-aw-actions version in lock files" >&2 + exit 1 + fi + echo "version=$version" >> "$GITHUB_OUTPUT" + + - name: Bump gh-aw CLI pin in build-common.yml + env: + VERSION: ${{ steps.gh-aw-version.outputs.version }} + run: | + sed -i -E \ + "s|(gh extension install github/gh-aw --pin )v[0-9.]+|\1$VERSION|" \ + .github/workflows/build-common.yml + + - name: Install gh-aw + env: + GH_TOKEN: ${{ github.token }} + VERSION: ${{ steps.gh-aw-version.outputs.version }} + run: gh extension install github/gh-aw --pin "$VERSION" + + # No `--no-check-update` here (unlike the check job in + # build-common.yml). We *want* this run to refresh + # `.github/aw/actions-lock.json` with whatever SHAs the new pinned + # compiler resolves, then regenerate the lock files from that. + - name: Recompile gh-aw workflows + env: + GH_TOKEN: ${{ github.token }} + run: gh aw compile + - id: create-patch name: Create patch file run: | @@ -88,6 +144,6 @@ jobs: if: steps.check-patch.outputs.exists == 'true' run: | git apply "${{ runner.temp }}/patch" - git add licenses - git commit -m "Update license report" + git add -A licenses .github/workflows .github/aw + git commit -m "Regenerate auto-managed files" git push diff --git a/.github/workflows/pr-review.md b/.github/workflows/pr-review.md index 185ca6ecccfa..624e29332a88 100644 --- a/.github/workflows/pr-review.md +++ b/.github/workflows/pr-review.md @@ -93,7 +93,7 @@ jobs: model_warning: ${{ steps.gate.outputs.model_warning }} triggered_by: ${{ steps.gate.outputs.triggered_by }} steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 persist-credentials: false @@ -130,20 +130,20 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 1 persist-credentials: false - name: Download agent artifact - uses: actions/download-artifact@v8.0.1 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: agent path: ./agent-artifact continue-on-error: true - name: Download review bundle artifact - uses: actions/download-artifact@v8.0.1 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: review-bundle path: ./review-bundle @@ -197,7 +197,7 @@ steps: --findings-path /tmp/gh-aw/agent/findings.json - name: Upload review bundle for finalize job - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: review-bundle path: /tmp/gh-aw/bundle