Update vault-plugin-auth-kubernetes to v0.18.0 #53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Plugin update | |
run-name: Update ${{ inputs.plugin }} to v${{ inputs.version }} | |
on: | |
workflow_dispatch: | |
inputs: | |
plugin: | |
description: 'Full name of the plugin, e.g., vault-plugin-auth-kubernetes' | |
required: true | |
type: string | |
version: | |
description: 'Version of the plugin with *NO* "v", e.g., 1.2.3' | |
required: true | |
type: string | |
jobs: | |
plugin-update: | |
runs-on: ubuntu-latest | |
env: | |
VAULT_BRANCH: "update/${{ inputs.plugin }}/v${{ inputs.version }}" | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
# We don't use the default token so that checks are executed on the resulting PR | |
# https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow | |
token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764 | |
go-version-file: .go-version | |
- name: update plugin | |
run: | | |
go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}" | |
go mod tidy | |
- name: detect changes | |
run: | | |
count=$(git status --porcelain=v1 2>/dev/null | wc -l) | |
if [ "$count" -eq 0 ]; then | |
echo "::error::no updates were made for ${{ inputs.plugin }} with tag v${{ inputs.version }}" | |
exit 1 | |
fi | |
- name: commit/push | |
run: | | |
git config user.name hc-github-team-secure-vault-ecosystem | |
git config user.email [email protected] | |
git add go.mod go.sum | |
git commit -m "Automated dependency upgrades" | |
git push -f origin ${{ github.ref_name }}:"$VAULT_BRANCH" | |
- name: Open pull request if needed | |
id: pr | |
env: | |
GITHUB_TOKEN: ${{secrets.ELEVATED_GITHUB_TOKEN}} | |
# Only open a PR if the branch is not attached to an existing one | |
run: | | |
PR=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number') | |
if [ -z "$PR" ]; then | |
gh pr create \ | |
--head "$VAULT_BRANCH" \ | |
--reviewer "${{ github.actor }}" \ | |
--title "Update ${{ inputs.plugin }} to v${{ inputs.version }}" \ | |
--body "This PR was generated by a GitHub Action. Full log: https://github.com/hashicorp/vault/actions/runs/${{ github.run_id }}" | |
echo "vault_pr_num=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')" >> "$GITHUB_OUTPUT" | |
echo "vault_pr_url=$(gh pr list --head "$VAULT_BRANCH" --json url -q '.[0].url')" >> "$GITHUB_OUTPUT" | |
else | |
echo "::notice::Pull request $PR already exists, won't create a new one." | |
fi | |
- name: Add changelog | |
if: steps.pr.outputs.vault_pr_num != '' | |
run: | | |
PLUGIN="${{ inputs.plugin }}" | |
# plugin type is one of auth/secrets/database | |
PLUGIN_TYPE=$(echo "$PLUGIN" | awk -F- '{print $3}') | |
echo "::debug::plugin type: $PLUGIN_TYPE" | |
# plugin service is the rest of the repo name | |
PLUGIN_SERVICE=$(echo "$PLUGIN" | cut -d- -f 4-) | |
echo "::debug::plugin service: $PLUGIN_SERVICE" | |
echo "\`\`\`release-note:change | |
${PLUGIN_TYPE}/${PLUGIN_SERVICE}: Update plugin to v${{ inputs.version }} | |
\`\`\`" > "changelog/${{ steps.pr.outputs.vault_pr_num }}.txt" | |
git add changelog/ | |
git commit -m "Add changelog" | |
git push origin ${{ github.ref_name }}:"$VAULT_BRANCH" | |
- name: Add labels to Vault PR | |
if: steps.pr.outputs.vault_pr_num != '' | |
env: | |
# this is a different token to the one we have been using that should | |
# allow us to add labels | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
continue-on-error: true | |
run: | | |
gh pr edit "${{ steps.pr.outputs.vault_pr_num }}" \ | |
--add-label "dependencies" \ | |
--repo hashicorp/vault |