name: Plugin update run-name: Update ${{ inputs.plugin }} to v${{ inputs.version }} on: workflow_dispatch: inputs: plugin: description: 'Full name of the plugin, e.g., vault-plugin-auth-kubernetes' required: true type: string branch: description: 'Git branch name to use' required: true type: string version: description: 'Version of the plugin with *NO* "v", e.g., 1.2.3' required: true type: string reviewer: description: 'Reviewer to tag on the PR' required: false type: string jobs: plugin-update: runs-on: ubuntu-latest env: VAULT_BRANCH: ${{ inputs.branch }} REVIEWER: ${{ inputs.reviewer || github.actor }} steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: # We don't use the default token so that checks are executed on the resulting PR # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764 go-version-file: .go-version - name: Update plugin if: github.repository == 'hashicorp/vault' run: | go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}" go mod tidy - name: Update Enterprise-only plugin if: github.repository == 'hashicorp/vault-enterprise' run: | (cd vault_ent && go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}" && go mod tidy) go mod tidy - name: Detect changes run: | count=$(git status --porcelain=v1 2>/dev/null | wc -l) if [ "$count" -eq 0 ]; then echo "::error::no updates were made for ${{ inputs.plugin }} with tag v${{ inputs.version }}" exit 1 fi - name: Commit and push run: | git config user.name hc-github-team-secure-vault-ecosystem git config user.email hc-github-team-secure-vault-ecosystem@users.noreply.github.com git add go.mod go.sum git commit -m "Update ${{ inputs.plugin }} to v${{ inputs.version }}" git push -f origin ${{ github.ref_name }}:"$VAULT_BRANCH" - name: Open pull request if needed id: pr env: GITHUB_TOKEN: ${{secrets.ELEVATED_GITHUB_TOKEN}} # Only open a PR if the branch is not attached to an existing one run: | PR=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number') if [ -z "$PR" ]; then gh pr create \ --head "$VAULT_BRANCH" \ --reviewer "$REVIEWER" \ --assignee "$REVIEWER" \ --title "Update ${{ inputs.plugin }} to v${{ inputs.version }}" \ --body "This PR was generated by a GitHub Action. Full log: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" echo "vault_pr_num=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')" >> "$GITHUB_OUTPUT" echo "vault_pr_url=$(gh pr list --head "$VAULT_BRANCH" --json url -q '.[0].url')" >> "$GITHUB_OUTPUT" else echo "::notice::Pull request $PR already exists, won't create a new one." fi - name: Add changelog if: steps.pr.outputs.vault_pr_num != '' run: | PLUGIN="${{ inputs.plugin }}" # plugin type is one of auth/secrets/database PLUGIN_TYPE=$(echo "$PLUGIN" | awk -F- '{print $3}') echo "::debug::plugin type: $PLUGIN_TYPE" # plugin service is the rest of the repo name PLUGIN_SERVICE=$(echo "$PLUGIN" | cut -d- -f 4-) echo "::debug::plugin service: $PLUGIN_SERVICE" echo "\`\`\`release-note:change ${PLUGIN_TYPE}/${PLUGIN_SERVICE}: Update plugin to v${{ inputs.version }} \`\`\`" > "changelog/${{ steps.pr.outputs.vault_pr_num }}.txt" git add changelog/ git commit -m "Add changelog" git push origin ${{ github.ref_name }}:"$VAULT_BRANCH" - name: Add labels to Vault PR if: steps.pr.outputs.vault_pr_num != '' env: # this is a different token to the one we have been using that should # allow us to add labels GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} continue-on-error: true run: | gh pr edit "${{ steps.pr.outputs.vault_pr_num }}" \ --add-label "dependencies" \ --repo hashicorp/vault