-
Notifications
You must be signed in to change notification settings - Fork 4.2k
106 lines (91 loc) · 4.12 KB
/
plugin-update.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
name: Plugin update
run-name: Update ${{ inputs.plugin }} to v${{ inputs.version }}
on:
workflow_dispatch:
inputs:
plugin:
description: 'Full name of the plugin, e.g., vault-plugin-auth-kubernetes'
required: true
type: string
version:
description: 'Version of the plugin with *NO* "v", e.g., 1.2.3'
required: true
type: string
jobs:
plugin-update:
runs-on: ubuntu-latest
env:
VAULT_BRANCH: "update/${{ inputs.plugin }}/v${{ inputs.version }}"
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
# We don't use the default token so that checks are executed on the resulting PR
# https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
go-version-file: .go-version
- name: update plugin
run: |
go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}"
go mod tidy
- name: detect changes
run: |
count=$(git status --porcelain=v1 2>/dev/null | wc -l)
if [ "$count" -eq 0 ]; then
echo "::error::no updates were made for ${{ inputs.plugin }} with tag v${{ inputs.version }}"
exit 1
fi
- name: commit/push
run: |
git config user.name hc-github-team-secure-vault-ecosystem
git config user.email [email protected]
git add go.mod go.sum
git commit -m "Automated dependency upgrades"
git push -f origin ${{ github.ref_name }}:"$VAULT_BRANCH"
- name: Open pull request if needed
id: pr
env:
GITHUB_TOKEN: ${{secrets.ELEVATED_GITHUB_TOKEN}}
# Only open a PR if the branch is not attached to an existing one
run: |
PR=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')
if [ -z "$PR" ]; then
gh pr create \
--head "$VAULT_BRANCH" \
--reviewer "${{ github.actor }}" \
--title "Update ${{ inputs.plugin }} to v${{ inputs.version }}" \
--body "This PR was generated by a GitHub Action. Full log: https://github.com/hashicorp/vault/actions/runs/${{ github.run_id }}"
echo "vault_pr_num=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')" >> "$GITHUB_OUTPUT"
echo "vault_pr_url=$(gh pr list --head "$VAULT_BRANCH" --json url -q '.[0].url')" >> "$GITHUB_OUTPUT"
else
echo "::notice::Pull request $PR already exists, won't create a new one."
fi
- name: Add changelog
if: steps.pr.outputs.vault_pr_num != ''
run: |
PLUGIN="${{ inputs.plugin }}"
# plugin type is one of auth/secrets/database
PLUGIN_TYPE=$(echo "$PLUGIN" | awk -F- '{print $3}')
echo "::debug::plugin type: $PLUGIN_TYPE"
# plugin service is the rest of the repo name
PLUGIN_SERVICE=$(echo "$PLUGIN" | cut -d- -f 4-)
echo "::debug::plugin service: $PLUGIN_SERVICE"
echo "\`\`\`release-note:change
${PLUGIN_TYPE}/${PLUGIN_SERVICE}: Update plugin to v${{ inputs.version }}
\`\`\`" > "changelog/${{ steps.pr.outputs.vault_pr_num }}.txt"
git add changelog/
git commit -m "Add changelog"
git push origin ${{ github.ref_name }}:"$VAULT_BRANCH"
- name: Add labels to Vault PR
if: steps.pr.outputs.vault_pr_num != ''
env:
# this is a different token to the one we have been using that should
# allow us to add labels
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
continue-on-error: true
run: |
gh pr edit "${{ steps.pr.outputs.vault_pr_num }}" \
--add-label "dependencies" \
--repo hashicorp/vault