Envoy/dependency #443
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Envoy/dependency | |
permissions: | |
contents: read | |
on: | |
schedule: | |
- cron: '0 8 * * *' | |
workflow_dispatch: | |
inputs: | |
task: | |
description: Select a task | |
required: true | |
default: bazel | |
type: choice | |
options: | |
- bazel | |
- bazel-api | |
- build-image | |
- check | |
dependency: | |
description: Dependency to update (if applicable) | |
version: | |
description: Version to set (optional) | |
pr: | |
type: boolean | |
default: true | |
pr-message: | |
description: Additional message for PR, eg to fix an issue (optional) | |
concurrency: | |
group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} | |
cancel-in-progress: true | |
env: | |
COMMITTER_NAME: dependency-envoy[bot] | |
COMMITTER_EMAIL: 148525496+dependency-envoy[bot]@users.noreply.github.com | |
jobs: | |
update-bazel: | |
if: >- | |
${{ | |
github.event_name == 'workflow_dispatch' | |
&& startsWith(inputs.task, 'bazel') | |
}} | |
name: > | |
Update dep | |
(${{ inputs.pr && 'PR/' || '' }} | |
${{ inputs.task == 'bazel' && 'bazel' || 'bazel/api' }} | |
/${{ inputs.dependency }} | |
/${{ inputs.version }}) | |
runs-on: ubuntu-24.04 | |
steps: | |
- id: appauth | |
name: Appauth | |
uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.15 | |
with: | |
app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} | |
key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} | |
- id: checkout | |
name: Checkout Envoy repository | |
uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.15 | |
with: | |
token: ${{ steps.appauth.outputs.token }} | |
- uses: envoyproxy/toolshed/gh-actions/bson@actions-v0.3.15 | |
id: update | |
name: Update dependency (${{ inputs.dependency }}) | |
with: | |
input: | | |
dependency: ${{ inputs.dependency }} | |
task: ${{ inputs.task }} | |
version: "${{ inputs.version }}" | |
input-format: yaml | |
filter: | | |
.version as $version | |
| .dependency as $dependency | |
| .task as $task | |
| (try ($version | validate::sha(40) | .[:7]) | |
catch $version) as $version_short | |
| {} | |
| if $task == "bazel" then | |
. | |
| .task = "bazel" | |
| .target = "update" | |
else | |
. | |
| .task = "api/bazel" | |
| .target = "api-update" | |
end | |
| .task as $task | |
| .target as $target | |
| (" | |
echo \"Updating(\($task)): \($dependency) -> \($version_short)\" | |
bazel run --config=ci //bazel:\($target) \($dependency) \($version) | |
OUTPUT=\($version_short) | |
" | bash::output) | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- uses: envoyproxy/toolshed/gh-actions/upload/diff@actions-v0.3.15 | |
name: Upload diff | |
with: | |
name: ${{ inputs.dependency }}-${{ steps.update.outputs.output }} | |
- name: Create a PR | |
if: ${{ inputs.pr }} | |
uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.15 | |
with: | |
base: main | |
body: | | |
Created by Envoy dependency bot for @${{ github.actor }} | |
${{ inputs.pr-message }} | |
branch: >- | |
dependency/${{ inputs.task }}/${{ inputs.dependency }}/${{ steps.update.outputs.output }} | |
commit-message: | | |
${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` -> ${{ steps.update.outputs.output }} | |
Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> | |
committer-name: ${{ env.COMMITTER_NAME }} | |
committer-email: ${{ env.COMMITTER_EMAIL }} | |
title: >- | |
${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` | |
-> ${{ steps.update.outputs.output }} | |
GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} | |
update-build-image: | |
if: >- | |
${{ | |
github.event_name == 'workflow_dispatch' | |
&& github.event.inputs.task == 'build-image' | |
}} | |
name: Update build image (PR) | |
runs-on: ubuntu-24.04 | |
steps: | |
- id: appauth | |
name: Appauth | |
uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.3.15 | |
with: | |
app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} | |
key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} | |
- uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.3.15 | |
id: checkout | |
name: Checkout Envoy repository | |
with: | |
config: | | |
path: envoy | |
fetch-depth: 0 | |
token: ${{ steps.appauth.outputs.token }} | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
name: Checkout Envoy build tools repository | |
with: | |
repository: envoyproxy/envoy-build-tools | |
path: build-tools | |
fetch-depth: 0 | |
- run: | | |
shas=( | |
tag | |
sha | |
mobile-sha | |
gcr-sha) | |
for sha in "${shas[@]}"; do | |
current_sha=$(bazel run --config=ci //tools/dependency:build-image-sha "$sha") | |
echo "${sha}=${current_sha}" >> "$GITHUB_OUTPUT" | |
done | |
id: current | |
name: Current SHAs | |
working-directory: envoy | |
- run: | | |
if [[ -z "$CONTAINER_TAG" ]]; then | |
# get current build image version | |
CONTAINER_TAG=$(git log -1 --pretty=format:"%H" "./docker") | |
fi | |
echo "tag=${CONTAINER_TAG}" >> "$GITHUB_OUTPUT" | |
echo "tag_short=${CONTAINER_TAG::7}" >> "$GITHUB_OUTPUT" | |
env: | |
CONTAINER_TAG: ${{ inputs.version }} | |
id: build-tools | |
name: Build image SHA | |
working-directory: build-tools | |
- name: Check Docker SHAs | |
id: build-images | |
uses: envoyproxy/toolshed/gh-actions/docker/shas@actions-v0.3.15 | |
with: | |
images: | | |
sha: envoyproxy/envoy-build-ubuntu:${{ steps.build-tools.outputs.tag }} | |
mobile-sha: envoyproxy/envoy-build-ubuntu:mobile-${{ steps.build-tools.outputs.tag }} | |
gcr-sha: gcr.io/envoy-ci/envoy-build:${{ steps.build-tools.outputs.tag }} | |
- run: | | |
SHA_REPLACE=( | |
"$CURRENT_ENVOY_TAG:$ENVOY_TAG" | |
"$CURRENT_ENVOY_SHA:${{ fromJSON(steps.build-images.outputs.shas).sha }}" | |
"$CURRENT_ENVOY_MOBILE_SHA:${{ fromJSON(steps.build-images.outputs.shas).mobile-sha }}" | |
"$CURRENT_ENVOY_GCR_SHA:${{ fromJSON(steps.build-images.outputs.shas).gcr-sha }}") | |
echo "replace=${SHA_REPLACE[*]}" >> "$GITHUB_OUTPUT" | |
name: Find SHAs to replace | |
id: shas | |
env: | |
ENVOY_TAG: ${{ steps.build-tools.outputs.tag }} | |
CURRENT_ENVOY_TAG: ${{ steps.current.outputs.tag }} | |
CURRENT_ENVOY_SHA: ${{ steps.current.outputs.sha }} | |
CURRENT_ENVOY_MOBILE_SHA: ${{ steps.current.outputs.mobile-sha }} | |
CURRENT_ENVOY_GCR_SHA: ${{ steps.current.outputs.gcr-sha }} | |
- run: | | |
echo "${SHA_REPLACE}" | xargs bazel run --config=ci @envoy_toolshed//sha:replace "${PWD}" | |
env: | |
SHA_REPLACE: ${{ steps.shas.outputs.replace }} | |
name: Update SHAs | |
working-directory: envoy | |
- name: Create a PR | |
uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.3.15 | |
with: | |
base: main | |
body: Created by Envoy dependency bot | |
branch: dependency-envoy/build-image/latest | |
committer-name: ${{ env.COMMITTER_NAME }} | |
committer-email: ${{ env.COMMITTER_EMAIL }} | |
commit-message: | | |
deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}` | |
Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> | |
title: 'deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`' | |
GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} | |
working-directory: envoy | |
scheduled: | |
runs-on: ubuntu-24.04 | |
if: >- | |
${{ | |
github.repository == 'envoyproxy/envoy' | |
&& (github.event.schedule | |
|| (!contains(github.actor, '[bot]') | |
&& inputs.task == 'check')) | |
}} | |
permissions: | |
contents: read | |
issues: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Run dependency checker | |
run: | | |
TODAY_DATE=$(date -u -I"date") | |
export TODAY_DATE | |
bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c release_issues --fix | |
bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c cves -w error | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |