name: Plugin update run-name: Update ${{ inputs.repo }} by @${{ github.actor }} on: workflow_dispatch: inputs: repo: type: string description: 'The owner and repository name. Ex: hashicorp/vault-plugin-auth-jwt' required: true plugin_tag: type: string description: 'The name of the plugin tag. Ex: v0.5.1' required: true jobs: plugin-update: runs-on: ubuntu-latest env: VAULT_BRANCH: "update/${{ inputs.repo }}/${{ inputs.plugin_tag }}" steps: - run: echo "Branch ${{ inputs.plugin_tag }} of ${{ inputs.repo }}" - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: # We don't use the default token so that checks are executed on the resulting PR # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764 go-version-file: .go-version - name: update plugin run: | go get "github.com/${{ inputs.repo }}@${{ inputs.plugin_tag }}" go mod tidy - name: detect changes run: | count=$(git status --porcelain=v1 2>/dev/null | wc -l) if [ "$count" -eq 0 ]; then echo "error: no updates were made for repo ${{ inputs.repo }} with tag ${{ inputs.plugin_tag }}" exit 1 fi - name: commit/push run: | git config user.name hc-github-team-secure-vault-ecosystem git config user.email hc-github-team-secure-vault-ecosystem@users.noreply.github.com git add go.mod go.sum git commit -m "Automated dependency upgrades" git push -f origin ${{ github.ref_name }}:"$VAULT_BRANCH" - name: Open pull request if needed id: pr env: GITHUB_TOKEN: ${{secrets.ELEVATED_GITHUB_TOKEN}} # Only open a PR if the branch is not attached to an existing one run: | PR=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number') if [ -z "$PR" ]; then gh pr create \ --head "$VAULT_BRANCH" \ --reviewer "${{ github.actor }}" \ --title "Update ${{ inputs.repo }} to ${{ inputs.plugin_tag }}" \ --body "This PR was generated by a GitHub Action. Full log: https://github.com/hashicorp/vault/actions/runs/${{ github.run_id }}" echo "vault_pr_num=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')" >> "$GITHUB_OUTPUT" echo "vault_pr_url=$(gh pr list --head "$VAULT_BRANCH" --json url -q '.[0].url')" >> "$GITHUB_OUTPUT" else echo "Pull request already exists, won't create a new one." fi - name: Add changelog if: steps.pr.outputs.vault_pr_num != '' run: | # strip "hashicorp/" from repo name PLUGIN=$(echo ${{ inputs.repo }} | awk -F/ '{print $NF}') echo "plugin: $PLUGIN" # plugin type is one of auth/secrets/database PLUGIN_TYPE=$(echo "$PLUGIN" | awk -F- '{print $3}') echo "plugin type: $PLUGIN_TYPE" # plugin service is the rest of the repo name PLUGIN_SERVICE=$(echo "$PLUGIN" | cut -d- -f 4-) echo "plugin service: $PLUGIN_SERVICE" echo "\`\`\`release-note:change ${PLUGIN_TYPE}/${PLUGIN_SERVICE}: Update plugin to ${{ inputs.plugin_tag }} \`\`\`" > "changelog/${{ steps.pr.outputs.vault_pr_num }}.txt" git add changelog/ git commit -m "Add changelog" git push origin ${{ github.ref_name }}:"$VAULT_BRANCH" - name: Add labels to Vault PR if: steps.pr.outputs.vault_pr_num != '' env: # this is a different token to the one we have been using that should # allow us to add labels GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} continue-on-error: true run: | gh pr edit "${{ steps.pr.outputs.vault_pr_num }}" \ --add-label "dependencies" \ --repo hashicorp/vault