mirror of
https://github.com/hashicorp/vault.git
synced 2026-02-10 10:21:27 +01:00
94b4d7ca17
* actions: use self-hosted runners in hashicorp/vault While it is recommended that we use self-hosted runners for every workflow in private and internal accounts, this change was primarily motivated by different runner types using different cache paths. By using the same runner type everywhere we can avoid double caches of the internal Vault tools. * disable the terraform wrapper in ci-bootstrap to handle updated action Signed-off-by: Ryan Cragun <me@ryan.ec> Co-authored-by: Ryan Cragun <me@ryan.ec>
149 lines
5.8 KiB
YAML
149 lines
5.8 KiB
YAML
name: Plugin update
|
|
run-name: Update ${{ inputs.plugin }} to v${{ inputs.version }}
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
plugin:
|
|
description: 'Full name of the plugin, e.g., vault-plugin-auth-kubernetes'
|
|
required: true
|
|
type: string
|
|
branch:
|
|
description: 'Git branch name to use'
|
|
required: true
|
|
type: string
|
|
base-branch:
|
|
description: 'Base git branch to use'
|
|
required: true
|
|
type: string
|
|
version:
|
|
description: 'Version of the plugin with *NO* "v", e.g., 1.2.3'
|
|
required: true
|
|
type: string
|
|
ent-only:
|
|
description: Whether or not the plugin is enterprise only
|
|
required: true
|
|
type: boolean
|
|
reviewer:
|
|
description: 'Reviewer to tag on the PR'
|
|
required: false
|
|
type: string
|
|
|
|
jobs:
|
|
plugin-update:
|
|
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
GOPRIVATE: github.com/hashicorp/*
|
|
VAULT_BRANCH: ${{ inputs.branch }}
|
|
REVIEWER: ${{ inputs.reviewer || github.actor }}
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
# We don't use the default token so that checks are executed on the resulting PR
|
|
# https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
|
|
token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
ref: ${{ inputs.base-branch }}
|
|
|
|
- uses: ./.github/actions/metadata
|
|
id: metadata
|
|
|
|
- uses: ./.github/actions/set-up-go
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
no-restore: true
|
|
no-save: true
|
|
|
|
- id: configure-git
|
|
name: Configure git
|
|
run: |
|
|
git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
|
|
git config user.name hc-github-team-secure-vault-ecosystem
|
|
git config user.email hc-github-team-secure-vault-ecosystem@users.noreply.github.com
|
|
|
|
- if: inputs.ent-only != 'true'
|
|
name: Update plugin
|
|
run: |
|
|
go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}"
|
|
go mod tidy
|
|
|
|
- if: inputs.ent-only == 'true'
|
|
name: Update Enterprise-only plugin
|
|
run: |
|
|
(cd vault_ent && go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}" && go mod tidy)
|
|
go mod tidy
|
|
|
|
- name: Detect changes
|
|
run: |
|
|
count=$(git status --porcelain=v1 2>/dev/null | wc -l)
|
|
if [ "$count" -eq 0 ]; then
|
|
echo "::error::no updates were made for ${{ inputs.plugin }} with tag v${{ inputs.version }}"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Commit and push
|
|
run: |
|
|
git add ./\*go.mod ./\*go.sum
|
|
git commit -m "Update ${{ inputs.plugin }} to v${{ inputs.version }}"
|
|
git push -f origin ${{ inputs.base-branch }}:"$VAULT_BRANCH"
|
|
|
|
- name: Open pull request if needed
|
|
id: pr
|
|
# Only open a PR if the branch is not attached to an existing one
|
|
run: |
|
|
PR=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')
|
|
|
|
if [ -z "$PR" ]; then
|
|
gh pr create \
|
|
--head "$VAULT_BRANCH" \
|
|
--reviewer "$REVIEWER" \
|
|
--assignee "$REVIEWER" \
|
|
--title "Update ${{ inputs.plugin }} to v${{ inputs.version }}" \
|
|
--body "This PR was generated by a GitHub Action. Full log: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
|
|
|
|
echo "vault_pr_num=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')" >> "$GITHUB_OUTPUT"
|
|
echo "vault_pr_url=$(gh pr list --head "$VAULT_BRANCH" --json url -q '.[0].url')" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "::notice::Pull request $PR already exists, won't create a new one."
|
|
fi
|
|
|
|
- name: Add changelog
|
|
if: steps.pr.outputs.vault_pr_num != ''
|
|
run: |
|
|
PLUGIN="${{ inputs.plugin }}"
|
|
|
|
# plugin type is one of auth/secrets/database
|
|
PLUGIN_TYPE=$(echo "$PLUGIN" | awk -F- '{print $3}')
|
|
echo "::debug::plugin type: $PLUGIN_TYPE"
|
|
|
|
# plugin service is the rest of the repo name
|
|
PLUGIN_SERVICE=$(echo "$PLUGIN" | cut -d- -f 4-)
|
|
echo "::debug::plugin service: $PLUGIN_SERVICE"
|
|
|
|
# changelog filename is the PR number with a .txt extension
|
|
# if the repo is vault-enterprise, the filename should start with an underscore
|
|
CHANGELOG_FILENAME="${{ steps.pr.outputs.vault_pr_num }}.txt"
|
|
if [[ '${{ steps.metadata.outputs.is-ent-branch }}' == 'true' ]]; then
|
|
CHANGELOG_FILENAME="_${{ steps.pr.outputs.vault_pr_num }}.txt"
|
|
fi
|
|
echo "::debug::changelog filename: $CHANGELOG_FILENAME"
|
|
|
|
echo "\`\`\`release-note:change
|
|
${PLUGIN_TYPE}/${PLUGIN_SERVICE}: Update plugin to [v${{ inputs.version }}](https://github.com/hashicorp/${{ inputs.plugin }}/releases/tag/v${{ inputs.version }})
|
|
\`\`\`" > "changelog/$CHANGELOG_FILENAME"
|
|
|
|
git add changelog/
|
|
git commit -m "Add changelog"
|
|
git push origin ${{ inputs.base-branch }}:"$VAULT_BRANCH"
|
|
|
|
- name: Add labels to Vault PR
|
|
if: steps.pr.outputs.vault_pr_num != ''
|
|
env:
|
|
# this is a different token to the one we have been using that should
|
|
# allow us to add labels
|
|
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
|
continue-on-error: true
|
|
run: |
|
|
gh pr edit "${{ steps.pr.outputs.vault_pr_num }}" \
|
|
--add-label "dependencies"
|