mirror of
https://github.com/hashicorp/vault.git
synced 2026-01-02 07:11:20 +01:00
150 lines
5.8 KiB
YAML
150 lines
5.8 KiB
YAML
name: Plugin update
|
|
run-name: Update ${{ inputs.plugin }} to v${{ inputs.version }}
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
plugin:
|
|
description: 'Full name of the plugin, e.g., vault-plugin-auth-kubernetes'
|
|
required: true
|
|
type: string
|
|
branch:
|
|
description: 'Git branch name to use'
|
|
required: true
|
|
type: string
|
|
base-branch:
|
|
description: 'Base git branch to use'
|
|
required: true
|
|
type: string
|
|
version:
|
|
description: 'Version of the plugin with *NO* "v", e.g., 1.2.3'
|
|
required: true
|
|
type: string
|
|
ent-only:
|
|
description: Whether or not the plugin is enterprise only
|
|
required: true
|
|
type: boolean
|
|
reviewer:
|
|
description: 'Reviewer to tag on the PR'
|
|
required: false
|
|
type: string
|
|
|
|
jobs:
|
|
plugin-update:
|
|
runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ubuntu-latest-x64"]') }}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
GOPRIVATE: github.com/hashicorp/*
|
|
VAULT_BRANCH: ${{ inputs.branch }}
|
|
REVIEWER: ${{ inputs.reviewer || github.actor }}
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
# We don't use the default token so that checks are executed on the resulting PR
|
|
# https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
|
|
token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
ref: ${{ inputs.base-branch }}
|
|
|
|
- uses: ./.github/actions/metadata
|
|
id: metadata
|
|
|
|
- uses: ./.github/actions/set-up-go
|
|
with:
|
|
github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
|
|
no-restore: true
|
|
no-save: true
|
|
|
|
- id: configure-git
|
|
name: Configure git
|
|
run: |
|
|
git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
|
|
git config user.name hc-github-team-secure-vault-ecosystem
|
|
git config user.email hc-github-team-secure-vault-ecosystem@users.noreply.github.com
|
|
|
|
- if: inputs.ent-only != 'true'
|
|
name: Update plugin
|
|
run: |
|
|
go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}"
|
|
go mod tidy
|
|
|
|
- if: inputs.ent-only == 'true'
|
|
name: Update Enterprise-only plugin
|
|
run: |
|
|
(cd vault_ent && go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}" && go mod tidy)
|
|
go mod tidy
|
|
|
|
- name: Detect changes
|
|
run: |
|
|
count=$(git status --porcelain=v1 2>/dev/null | wc -l)
|
|
if [ "$count" -eq 0 ]; then
|
|
echo "::error::no updates were made for ${{ inputs.plugin }} with tag v${{ inputs.version }}"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Commit and push
|
|
run: |
|
|
git add ./\*go.mod ./\*go.sum
|
|
git commit -m "Update ${{ inputs.plugin }} to v${{ inputs.version }}"
|
|
git push -f origin ${{ inputs.base-branch }}:"$VAULT_BRANCH"
|
|
|
|
- name: Open pull request if needed
|
|
id: pr
|
|
# Only open a PR if the branch is not attached to an existing one
|
|
run: |
|
|
PR=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')
|
|
|
|
if [ -z "$PR" ]; then
|
|
gh pr create \
|
|
--head "$VAULT_BRANCH" \
|
|
--base "${{ inputs.base-branch }}" \
|
|
--reviewer "$REVIEWER" \
|
|
--assignee "$REVIEWER" \
|
|
--title "Update ${{ inputs.plugin }} to v${{ inputs.version }}" \
|
|
--body "This PR was generated by a GitHub Action. Full log: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
|
|
|
|
echo "vault_pr_num=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')" >> "$GITHUB_OUTPUT"
|
|
echo "vault_pr_url=$(gh pr list --head "$VAULT_BRANCH" --json url -q '.[0].url')" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "::notice::Pull request $PR already exists, won't create a new one."
|
|
fi
|
|
|
|
- name: Add changelog
|
|
if: steps.pr.outputs.vault_pr_num != ''
|
|
run: |
|
|
PLUGIN="${{ inputs.plugin }}"
|
|
|
|
# plugin type is one of auth/secrets/database
|
|
PLUGIN_TYPE=$(echo "$PLUGIN" | awk -F- '{print $3}')
|
|
echo "::debug::plugin type: $PLUGIN_TYPE"
|
|
|
|
# plugin service is the rest of the repo name
|
|
PLUGIN_SERVICE=$(echo "$PLUGIN" | cut -d- -f 4-)
|
|
echo "::debug::plugin service: $PLUGIN_SERVICE"
|
|
|
|
# changelog filename is the PR number with a .txt extension
|
|
# if the repo is vault-enterprise, the filename should start with an underscore
|
|
CHANGELOG_FILENAME="${{ steps.pr.outputs.vault_pr_num }}.txt"
|
|
if [[ '${{ steps.metadata.outputs.is-ent-branch }}' == 'true' ]]; then
|
|
CHANGELOG_FILENAME="_${{ steps.pr.outputs.vault_pr_num }}.txt"
|
|
fi
|
|
echo "::debug::changelog filename: $CHANGELOG_FILENAME"
|
|
|
|
echo "\`\`\`release-note:change
|
|
${PLUGIN_TYPE}/${PLUGIN_SERVICE}: Update plugin to [v${{ inputs.version }}](https://github.com/hashicorp/${{ inputs.plugin }}/releases/tag/v${{ inputs.version }})
|
|
\`\`\`" > "changelog/$CHANGELOG_FILENAME"
|
|
|
|
git add changelog/
|
|
git commit -m "Add changelog"
|
|
git push origin ${{ inputs.base-branch }}:"$VAULT_BRANCH"
|
|
|
|
- name: Add labels to Vault PR
|
|
if: steps.pr.outputs.vault_pr_num != ''
|
|
env:
|
|
# this is a different token to the one we have been using that should
|
|
# allow us to add labels
|
|
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
|
continue-on-error: true
|
|
run: |
|
|
gh pr edit "${{ steps.pr.outputs.vault_pr_num }}" \
|
|
--add-label "dependencies"
|