Envoy/dependency #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Envoy/dependency | |
permissions: | |
contents: read | |
on: | |
schedule: | |
- cron: '0 8 * * *' | |
workflow_dispatch: | |
inputs: | |
task: | |
description: Select a task | |
required: true | |
default: bazel | |
type: choice | |
options: | |
- bazel | |
- bazel-api | |
- build-image | |
- check | |
dependency: | |
description: Dependency to update (if applicable) | |
version: | |
description: Version to set (optional) | |
pr: | |
type: boolean | |
default: true | |
pr-message: | |
description: Additional message for PR, eg to fix an issue (optional) | |
concurrency: | |
group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} | |
cancel-in-progress: true | |
env: | |
COMMITTER_NAME: dependency-envoy[bot] | |
COMMITTER_EMAIL: 148525496+dependency-envoy[bot]@users.noreply.github.com | |
jobs: | |
update-bazel: | |
if: >- | |
${{ | |
github.event_name == 'workflow_dispatch' | |
&& startsWith(inputs.task, 'bazel') | |
}} | |
name: > | |
Update dep | |
(${{ inputs.pr && 'PR/' || '' }} | |
${{ inputs.task == 'bazel' && 'bazel' || 'bazel/api' }} | |
/${{ inputs.dependency }} | |
/${{ inputs.version }}) | |
runs-on: ubuntu-22.04 | |
steps: | |
- id: appauth | |
name: Appauth | |
uses: envoyproxy/toolshed/gh-actions/[email protected] | |
with: | |
app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} | |
key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} | |
- id: checkout | |
name: Checkout Envoy repository | |
uses: envoyproxy/toolshed/gh-actions/github/[email protected] | |
with: | |
token: ${{ steps.appauth.outputs.token }} | |
- uses: envoyproxy/toolshed/gh-actions/[email protected] | |
id: update | |
name: Update dependency (${{ inputs.dependency }}) | |
with: | |
input: | | |
dependency: ${{ inputs.dependency }} | |
task: ${{ inputs.task }} | |
version: "${{ inputs.version }}" | |
input-format: yaml | |
filter: | | |
.version as $version | |
| .dependency as $dependency | |
| .task as $task | |
| (try ($version | validate::sha(40) | .[:7]) | |
catch $version) as $version_short | |
| {} | |
| if $task == "bazel" then | |
. | |
| .task = "bazel" | |
| .target = "update" | |
else | |
. | |
| .task = "api/bazel" | |
| .target = "api-update" | |
end | |
| .task as $task | |
| .target as $target | |
| (" | |
echo \"Updating(\($task)): \($dependency) -> \($version_short)\" | |
bazel run --config=ci //bazel:\($target) \($dependency) \($version) | |
OUTPUT=\($version_short) | |
" | bash::output) | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- uses: envoyproxy/toolshed/gh-actions/upload/[email protected] | |
name: Upload diff | |
with: | |
name: ${{ inputs.dependency }}-${{ steps.update.outputs.output }} | |
- name: Create a PR | |
if: ${{ inputs.pr }} | |
uses: envoyproxy/toolshed/gh-actions/github/[email protected] | |
with: | |
base: main | |
body: | | |
Created by Envoy dependency bot for @${{ github.actor }} | |
${{ inputs.pr-message }} | |
branch: >- | |
dependency/${{ inputs.task }}/${{ inputs.dependency }}/${{ steps.update.outputs.output }} | |
commit-message: | | |
${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` -> ${{ steps.update.outputs.output }} | |
Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> | |
committer-name: ${{ env.COMMITTER_NAME }} | |
committer-email: ${{ env.COMMITTER_EMAIL }} | |
title: >- | |
${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` | |
-> ${{ steps.update.outputs.output }} | |
GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} | |
update-build-image: | |
if: >- | |
${{ | |
github.event_name == 'workflow_dispatch' | |
&& github.event.inputs.task == 'build-image' | |
}} | |
name: Update build image (PR) | |
runs-on: ubuntu-22.04 | |
steps: | |
- id: appauth | |
name: Appauth | |
uses: envoyproxy/toolshed/gh-actions/[email protected] | |
with: | |
app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} | |
key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} | |
- uses: envoyproxy/toolshed/gh-actions/github/[email protected] | |
id: checkout | |
name: Checkout Envoy repository | |
with: | |
config: | | |
path: envoy | |
fetch-depth: 0 | |
token: ${{ steps.appauth.outputs.token }} | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
name: Checkout Envoy build tools repository | |
with: | |
repository: envoyproxy/envoy-build-tools | |
path: build-tools | |
fetch-depth: 0 | |
- run: | | |
shas=( | |
tag | |
sha | |
mobile-sha | |
gcr-sha) | |
for sha in "${shas[@]}"; do | |
current_sha=$(bazel run --config=ci //tools/dependency:build-image-sha "$sha") | |
echo "${sha}=${current_sha}" >> "$GITHUB_OUTPUT" | |
done | |
id: current | |
name: Current SHAs | |
working-directory: envoy | |
- run: | | |
if [[ -z "$CONTAINER_TAG" ]]; then | |
# get current build image version | |
CONTAINER_TAG=$(git log -1 --pretty=format:"%H" "./docker") | |
fi | |
echo "tag=${CONTAINER_TAG}" >> "$GITHUB_OUTPUT" | |
echo "tag_short=${CONTAINER_TAG::7}" >> "$GITHUB_OUTPUT" | |
env: | |
CONTAINER_TAG: ${{ inputs.version }} | |
id: build-tools | |
name: Build image SHA | |
working-directory: build-tools | |
- name: Check Docker SHAs | |
id: build-images | |
uses: envoyproxy/toolshed/gh-actions/docker/[email protected] | |
with: | |
images: | | |
sha: envoyproxy/envoy-build-ubuntu:${{ steps.build-tools.outputs.tag }} | |
mobile-sha: envoyproxy/envoy-build-ubuntu:mobile-${{ steps.build-tools.outputs.tag }} | |
gcr-sha: gcr.io/envoy-ci/envoy-build:${{ steps.build-tools.outputs.tag }} | |
- run: | | |
SHA_REPLACE=( | |
"$CURRENT_ENVOY_TAG:$ENVOY_TAG" | |
"$CURRENT_ENVOY_SHA:${{ fromJSON(steps.build-images.outputs.shas).sha }}" | |
"$CURRENT_ENVOY_MOBILE_SHA:${{ fromJSON(steps.build-images.outputs.shas).mobile-sha }}" | |
"$CURRENT_ENVOY_GCR_SHA:${{ fromJSON(steps.build-images.outputs.shas).gcr-sha }}") | |
echo "replace=${SHA_REPLACE[*]}" >> "$GITHUB_OUTPUT" | |
name: Find SHAs to replace | |
id: shas | |
env: | |
ENVOY_TAG: ${{ steps.build-tools.outputs.tag }} | |
CURRENT_ENVOY_TAG: ${{ steps.current.outputs.tag }} | |
CURRENT_ENVOY_SHA: ${{ steps.current.outputs.sha }} | |
CURRENT_ENVOY_MOBILE_SHA: ${{ steps.current.outputs.mobile-sha }} | |
CURRENT_ENVOY_GCR_SHA: ${{ steps.current.outputs.gcr-sha }} | |
- run: | | |
echo "${SHA_REPLACE}" | xargs bazel run --config=ci @envoy_toolshed//sha:replace "${PWD}" | |
env: | |
SHA_REPLACE: ${{ steps.shas.outputs.replace }} | |
name: Update SHAs | |
working-directory: envoy | |
- name: Create a PR | |
uses: envoyproxy/toolshed/gh-actions/github/[email protected] | |
with: | |
base: main | |
body: Created by Envoy dependency bot | |
branch: dependency-envoy/build-image/latest | |
committer-name: ${{ env.COMMITTER_NAME }} | |
committer-email: ${{ env.COMMITTER_EMAIL }} | |
commit-message: | | |
deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}` | |
Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> | |
title: 'deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`' | |
GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} | |
working-directory: envoy | |
scheduled: | |
runs-on: ubuntu-22.04 | |
if: >- | |
${{ | |
github.repository == 'envoyproxy/envoy' | |
&& (github.event.schedule | |
|| (!contains(github.actor, '[bot]') | |
&& inputs.task == 'check')) | |
}} | |
permissions: | |
contents: read | |
issues: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Run dependency checker | |
run: | | |
TODAY_DATE=$(date -u -I"date") | |
export TODAY_DATE | |
bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c release_issues --fix | |
bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c cves -w error | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |