Sync dependencies #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync dependencies | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| rancher_ref: | |
| description: "Version of rancher/rancher to compare" | |
| required: true | |
| default: "release/v2.10" | |
| rancher_repository: | |
| description: "Repository for rancher/rancher" | |
| required: true | |
| default: "rancher/rancher" | |
| env: | |
| RANCHER_REF: "${{ github.event.inputs.rancher_ref }}" | |
| WEBHOOK_REF: "${{ github.ref_name }}" | |
| permissions: | |
| contents: read | |
| # Needed to access to vault | |
| id-token: write | |
| jobs: | |
| sync: | |
| name: Sync dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: rancher-eio/read-vault-secrets@main | |
| with: | |
| secrets: | | |
| secret/data/github/repo/${{ github.repository }}/github/app-credentials appId | APP_ID ; | |
| secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | PRIVATE_KEY | |
| # Fetch github token just for the webhook repository | |
| - uses: actions/create-github-app-token@v1 | |
| id: app-token | |
| with: | |
| app-id: ${{ env.APP_ID }} | |
| private-key: ${{ env.PRIVATE_KEY }} | |
| repositories: | | |
| webhook | |
| - name : Checkout webhook repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| ref: "${{ env.WEBHOOK_REF }}" | |
| path: webhook | |
| token: ${{ steps.app-token.outputs.token }} | |
| # Allow making git push request later on | |
| persist-credentials: true | |
| - name : Checkout rancher repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| repository: "${{ github.event.inputs.rancher_repository }}" | |
| ref: "${{ env.RANCHER_REF }}" | |
| path: rancher | |
| - name: Install dependencies | |
| run: sudo snap install yq --channel=v4/stable | |
| - name: Configure the committer | |
| run: | | |
| cd webhook | |
| user_id=$(gh api "/users/$APP_USER" --jq .id) | |
| git config --global user.name "$APP_USER" | |
| git config --global user.email "${user_id}+${APP_USER}@users.noreply.github.com" | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| APP_USER: "${{ steps.app-token.outputs.app-slug }}[bot]" | |
| - name: Run sync-deps script | |
| run: | | |
| cd webhook | |
| BRANCH="sync-deps-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT}" | |
| echo "BRANCH=${BRANCH}" >> $GITHUB_ENV | |
| git checkout -b "$BRANCH" | |
| ./.github/workflows/scripts/sync-deps.sh ../rancher "changes.md" | |
| if [ -f changes.md ]; then | |
| git add go.mod go.sum | |
| git commit -m "Sync dependencies" | |
| git push origin "$BRANCH" | |
| fi | |
| - name: Create PR | |
| # Only create the PR if changes were detected | |
| if: ${{ hashFiles('webhook/changes.md') != '' }} | |
| run: | | |
| cd webhook | |
| changes=$(cat changes.md) | |
| body=$(cat <<EOF | |
| # Sync with Rancher | |
| $changes | |
| The workflow was triggered by $GITHUB_TRIGGERING_ACTOR. | |
| EOF | |
| ) | |
| gh pr create \ | |
| --title "[$WEBHOOK_REF] Sync webhook dependencies" \ | |
| --body "$body" \ | |
| --reviewer "$GITHUB_TRIGGERING_ACTOR" \ | |
| --repo "${{ github.repository }}" \ | |
| --head "${{ github.repository_owner }}:$BRANCH" \ | |
| --base "$WEBHOOK_REF" | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} |