name: Plugin update check run-name: ${{ inputs.repo }} update check on: workflow_dispatch: inputs: repo: type: string description: 'The owner and repository name as per the github.repository context property.' required: true plugin_branch: type: string description: 'The name of the plugin branch.' required: true jobs: plugin-update-check: runs-on: ubuntu-latest env: PLUGIN_REPO: "${{inputs.repo}}" PLUGIN_BRANCH: "${{inputs.plugin_branch}}" VAULT_BRANCH: "auto-plugin-update/${{inputs.repo}}/${{inputs.plugin_branch}}" RUN_ID: "${{github.run_id}}" steps: - run: echo "Branch $PLUGIN_BRANCH of $PLUGIN_REPO" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # We don't use the default token so that checks are executed on the resulting PR # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764 go-version-file: .go-version - name: update plugin run: | go get "github.com/$PLUGIN_REPO@$PLUGIN_BRANCH" go mod tidy - name: detect changes id: changes run: | echo "count=$(git status --porcelain=v1 2>/dev/null | wc -l)" >> "$GITHUB_OUTPUT" - name: commit/push if: steps.changes.outputs.count > 0 run: | git config user.name hc-github-team-secure-vault-ecosystem git config user.email hc-github-team-secure-vault-ecosystem@users.noreply.github.com git add . git commit -m "Automated dependency upgrades" git push -f origin ${{ github.ref_name }}:"$VAULT_BRANCH" - name: Open pull request if needed id: pr if: steps.changes.outputs.count > 0 env: GITHUB_TOKEN: ${{secrets.ELEVATED_GITHUB_TOKEN}} # Only open a PR if the branch is not attached to an existing one run: | PR=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number') if [ -z "$PR" ]; then gh pr create \ --head "$VAULT_BRANCH" \ --title "[DO NOT MERGE]: $PLUGIN_REPO Automated plugin update check" \ --body "Updates $PLUGIN_REPO to verify vault CI. Full log: https://github.com/hashicorp/vault/actions/runs/$RUN_ID" else echo "Pull request already exists, won't create a new one." fi echo "vault_pr_num=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')" >> "$GITHUB_OUTPUT" echo "vault_pr_url=$(gh pr list --head "$VAULT_BRANCH" --json url -q '.[0].url')" >> "$GITHUB_OUTPUT" - name: Add labels to Vault CI check PR if: steps.changes.outputs.count > 0 env: # this is a different token to the one we have been using that should # allow us to add labels GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} continue-on-error: true run: | if [ -z "${{ steps.pr.outputs.vault_pr_url }}" ]; then echo "error: no vault PR found" exit 1 fi gh pr edit "${{ steps.pr.outputs.vault_pr_num }}" \ --add-label "dependencies,pr/no-changelog,pr/no-milestone" \ --repo hashicorp/vault - name: Comment on plugin PR if: steps.changes.outputs.count > 0 env: GITHUB_TOKEN: ${{secrets.ELEVATED_GITHUB_TOKEN}} run: | # get Plugin PR number plugin_pr_num=$(gh pr list --head "$PLUGIN_BRANCH" --json number --repo "$PLUGIN_REPO" -q '.[0].number') if [ -z "$plugin_pr_num" ]; then echo "error: no plugin PR found" exit 1 fi if [ -z "${{ steps.pr.outputs.vault_pr_url }}" ]; then echo "error: no vault PR found" exit 1 fi # make a comment on the plugin repo's PR gh pr comment "$plugin_pr_num" \ --body "Vault CI check PR: ${{ steps.pr.outputs.vault_pr_url }}" \ --repo "$PLUGIN_REPO"