HardwareVisualizer/.github/workflows/auto-update-safe-chain.yml at develop · shm11C3/HardwareVisualizer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
name: Auto update safe-chain version

on:
  workflow_dispatch:
  schedule:
    # Every Monday 09:30 JST (00:30 UTC)
    - cron: "30 0 * * 1"

permissions: read-all

concurrency:
  group: auto-update-safe-chain
  cancel-in-progress: true

jobs:
  update:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
        id: generate-token
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 1

      - name: Resolve latest safe-chain release tag
        id: resolve
        env:
          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
        run: |
          set -euo pipefail

          latest_tag="$(gh api repos/AikidoSec/safe-chain/releases/latest --jq '.tag_name')"

          if [ -z "$latest_tag" ]; then
            echo 'Failed to resolve latest safe-chain tag.' >&2
            exit 1
          fi

          echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT"

      - name: Update pinned safe-chain version
        env:
          LATEST_TAG: ${{ steps.resolve.outputs.latest_tag }}
        run: |
          set -euo pipefail

          file='.github/actions/setup-safe-chain/action.yml'

          if ! grep -q '^  safe-chain-version:' "$file"; then
            echo "Expected 'safe-chain-version' input not found in $file" >&2
            exit 1
          fi

          current="$(
            node -e 'const fs=require("fs"); const y=fs.readFileSync(process.argv[1],"utf8"); const m=y.match(/^\s*safe-chain-version:\n(?:.|\n)*?^\s*default:\s*"([^"]+)"/m); console.log(m?m[1]:"")' "$file"
          )"

          if [ -z "$current" ]; then
            echo "Failed to parse current pinned version from $file" >&2
            exit 1
          fi

          if [ "$current" = "$LATEST_TAG" ]; then
            echo "Already up-to-date: $current"
            exit 0
          fi

          # shellcheck disable=SC2016
          node -e '
            const fs=require("fs");
            const file=process.argv[1];
            const latest=process.argv[2];
            const text=fs.readFileSync(file,"utf8");
            const updated=text.replace(
              /(\n\s*safe-chain-version:\n(?:.|\n)*?\n\s*default:\s*")([^"]+)("\s*\n)/m,
              `$1${latest}$3`
            );
            if (updated===text) process.exit(2);
            fs.writeFileSync(file,updated);
          ' "$file" "$LATEST_TAG"

      - name: Create Pull Request
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
        with:
          token: ${{ steps.generate-token.outputs.token }}
          commit-message: "chore(ci): bump safe-chain"
          title: "chore(ci): bump safe-chain"
          body: |
            This PR was created automatically.

            - Updates pinned safe-chain version in `.github/actions/setup-safe-chain/action.yml`
            - Schedule: weekly
          branch: chore/auto-safe-chain-bump
          add-paths: |
            .github/actions/setup-safe-chain/action.yml
          delete-branch: true
          labels: |
            dependencies
            automated
          signoff: false