Envoy/dependency #1509
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Envoy/dependency | |
| permissions: | |
| contents: read | |
| on: | |
| schedule: | |
| - cron: '0 8 * * *' | |
| workflow_dispatch: | |
| inputs: | |
| task: | |
| description: Select a task | |
| required: true | |
| default: bazel | |
| type: choice | |
| options: | |
| - bazel | |
| - bazel-api | |
| - build-image | |
| - check | |
| dependency: | |
| description: Dependency to update (if applicable) | |
| version: | |
| description: Version to set (optional) | |
| pr: | |
| type: boolean | |
| default: true | |
| pr-message: | |
| description: Additional message for PR, eg to fix an issue (optional) | |
| concurrency: | |
| group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }} | |
| cancel-in-progress: true | |
| env: | |
| COMMITTER_NAME: dependency-envoy[bot] | |
| COMMITTER_EMAIL: 148525496+dependency-envoy[bot]@users.noreply.github.com | |
| jobs: | |
| update-bazel: | |
| if: >- | |
| ${{ | |
| github.event_name == 'workflow_dispatch' | |
| && startsWith(inputs.task, 'bazel') | |
| }} | |
| name: > | |
| Update dep | |
| (${{ inputs.pr && 'PR/' || '' }} | |
| ${{ inputs.task == 'bazel' && 'bazel' || 'bazel/api' }} | |
| /${{ inputs.dependency }} | |
| /${{ inputs.version }}) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - id: appauth | |
| name: Appauth | |
| uses: envoyproxy/toolshed/actions/appauth@8d5d8d4b9eeb5e4e76b92341b0b1b1f6438af231 # v0.4.5 | |
| with: | |
| app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} | |
| key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} | |
| - id: checkout | |
| name: Checkout Envoy repository | |
| uses: envoyproxy/toolshed/actions/github/checkout@8d5d8d4b9eeb5e4e76b92341b0b1b1f6438af231 # v0.4.5 | |
| with: | |
| token: ${{ steps.appauth.outputs.token }} | |
| - uses: envoyproxy/toolshed/actions/bson@8d5d8d4b9eeb5e4e76b92341b0b1b1f6438af231 # v0.4.5 | |
| id: update | |
| name: Update dependency (${{ inputs.dependency }}) | |
| with: | |
| input: | | |
| dependency: ${{ inputs.dependency }} | |
| task: ${{ inputs.task }} | |
| version: "${{ inputs.version }}" | |
| input-format: yaml | |
| filter: | | |
| .version as $version | |
| | .dependency as $dependency | |
| | .task as $task | |
| | (try ($version | validate::sha(40) | .[:7]) | |
| catch $version) as $version_short | |
| | {} | |
| | if $task == "bazel" then | |
| . | |
| | .task = "bazel" | |
| | .target = "update" | |
| else | |
| . | |
| | .task = "api/bazel" | |
| | .target = "api-update" | |
| end | |
| | .task as $task | |
| | .target as $target | |
| | (" | |
| echo \"Updating(\($task)): \($dependency) -> \($version_short)\" | |
| bazel run --config=ci //bazel:\($target) \($dependency) \($version) | |
| OUTPUT=\($version_short) | |
| " | bash::output) | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: envoyproxy/toolshed/actions/upload/diff@8d5d8d4b9eeb5e4e76b92341b0b1b1f6438af231 # v0.4.5 | |
| name: Upload diff | |
| with: | |
| name: ${{ inputs.dependency }}-${{ steps.update.outputs.output }} | |
| - name: Create a PR | |
| if: ${{ inputs.pr }} | |
| uses: envoyproxy/toolshed/actions/github/pr@8d5d8d4b9eeb5e4e76b92341b0b1b1f6438af231 # v0.4.5 | |
| with: | |
| base: main | |
| body: | | |
| Created by Envoy dependency bot for @${{ github.actor }} | |
| ${{ inputs.pr-message }} | |
| branch: >- | |
| dependency/${{ inputs.task }}/${{ inputs.dependency }}/${{ steps.update.outputs.output }} | |
| commit-message: | | |
| ${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` -> ${{ steps.update.outputs.output }} | |
| Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> | |
| committer-name: ${{ env.COMMITTER_NAME }} | |
| committer-email: ${{ env.COMMITTER_EMAIL }} | |
| title: >- | |
| ${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` | |
| -> ${{ steps.update.outputs.output }} | |
| GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} | |
| update-build-image: | |
| if: >- | |
| ${{ | |
| github.event_name == 'workflow_dispatch' | |
| && github.event.inputs.task == 'build-image' | |
| }} | |
| name: Update build image (PR) | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - id: appauth | |
| name: Appauth | |
| uses: envoyproxy/toolshed/actions/appauth@8d5d8d4b9eeb5e4e76b92341b0b1b1f6438af231 # v0.4.5 | |
| with: | |
| app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }} | |
| key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }} | |
| - uses: envoyproxy/toolshed/actions/github/checkout@8d5d8d4b9eeb5e4e76b92341b0b1b1f6438af231 # v0.4.5 | |
| id: checkout | |
| name: Checkout Envoy repository | |
| with: | |
| config: | | |
| path: envoy | |
| fetch-depth: 0 | |
| token: ${{ steps.appauth.outputs.token }} | |
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| name: Checkout Envoy build tools repository | |
| with: | |
| repository: envoyproxy/envoy-build-tools | |
| path: build-tools | |
| fetch-depth: 0 | |
| - run: | | |
| shas=( | |
| sha-ci | |
| sha-devtools | |
| sha-docker | |
| sha-gcc | |
| sha-mobile | |
| sha-worker | |
| mobile-sha | |
| tag) | |
| for sha in "${shas[@]}"; do | |
| current_sha=$(bazel run --config=ci //tools/dependency:build-image-sha "$sha") | |
| echo "${sha}=${current_sha}" >> "$GITHUB_OUTPUT" | |
| done | |
| id: current | |
| name: Current SHAs | |
| working-directory: envoy | |
| - run: | | |
| if [[ -z "$CONTAINER_TAG" ]]; then | |
| # get current build image version | |
| CONTAINER_TAG=$(git log -1 --pretty=format:"%H" "./docker") | |
| fi | |
| echo "tag=${CONTAINER_TAG}" >> "$GITHUB_OUTPUT" | |
| echo "tag_short=${CONTAINER_TAG::7}" >> "$GITHUB_OUTPUT" | |
| env: | |
| CONTAINER_TAG: ${{ inputs.version }} | |
| id: build-tools | |
| name: Build image SHA | |
| working-directory: build-tools | |
| - name: Check Docker SHAs | |
| id: build-images | |
| uses: envoyproxy/toolshed/actions/docker/shas@8d5d8d4b9eeb5e4e76b92341b0b1b1f6438af231 # v0.4.5 | |
| with: | |
| images: | | |
| sha-ci: docker.io/envoyproxy/envoy-build:ci-${{ steps.build-tools.outputs.tag }} | |
| sha-devtools: docker.io/envoyproxy/envoy-build:devtools-${{ steps.build-tools.outputs.tag }} | |
| sha-docker: docker.io/envoyproxy/envoy-build:docker-${{ steps.build-tools.outputs.tag }} | |
| sha-gcc: docker.io/envoyproxy/envoy-build:gcc-${{ steps.build-tools.outputs.tag }} | |
| sha-mobile: docker.io/envoyproxy/envoy-build:mobile-${{ steps.build-tools.outputs.tag }} | |
| sha-worker: docker.io/envoyproxy/envoy-build:worker-${{ steps.build-tools.outputs.tag }} | |
| - run: | | |
| SHA_REPLACE=( | |
| "$CURRENT_ENVOY_TAG:$ENVOY_TAG" | |
| "$CURRENT_ENVOY_SHA_CI:${{ fromJSON(steps.build-images.outputs.shas).sha-ci }}" | |
| "$CURRENT_ENVOY_SHA_DEVTOOLS:${{ fromJSON(steps.build-images.outputs.shas).sha-devtools }}" | |
| "$CURRENT_ENVOY_SHA_DOCKER:${{ fromJSON(steps.build-images.outputs.shas).sha-docker }}" | |
| "$CURRENT_ENVOY_SHA_GCC:${{ fromJSON(steps.build-images.outputs.shas).sha-gcc }}" | |
| "$CURRENT_ENVOY_SHA_MOBILE:${{ fromJSON(steps.build-images.outputs.shas).sha-mobile }}" | |
| "$CURRENT_ENVOY_SHA_WORKER:${{ fromJSON(steps.build-images.outputs.shas).sha-worker }}") | |
| echo "replace=${SHA_REPLACE[*]}" >> "$GITHUB_OUTPUT" | |
| name: Find SHAs to replace | |
| id: shas | |
| env: | |
| ENVOY_TAG: ${{ steps.build-tools.outputs.tag }} | |
| CURRENT_ENVOY_TAG: ${{ steps.current.outputs.tag }} | |
| CURRENT_ENVOY_SHA_CI: ${{ steps.current.outputs.sha-ci }} | |
| CURRENT_ENVOY_SHA_DEVTOOLS: ${{ steps.current.outputs.sha-devtools }} | |
| CURRENT_ENVOY_SHA_DOCKER: ${{ steps.current.outputs.sha-docker }} | |
| CURRENT_ENVOY_SHA_GCC: ${{ steps.current.outputs.sha-gcc }} | |
| CURRENT_ENVOY_SHA_MOBILE: ${{ steps.current.outputs.sha-mobile }} | |
| CURRENT_ENVOY_SHA_WORKER: ${{ steps.current.outputs.sha-worker }} | |
| - run: | | |
| echo "${SHA_REPLACE}" | xargs bazel run --config=ci @envoy_toolshed//sha:replace "${PWD}" | |
| env: | |
| SHA_REPLACE: ${{ steps.shas.outputs.replace }} | |
| name: Update SHAs | |
| working-directory: envoy | |
| - name: Create a PR | |
| uses: envoyproxy/toolshed/actions/github/pr@8d5d8d4b9eeb5e4e76b92341b0b1b1f6438af231 # v0.4.5 | |
| with: | |
| base: main | |
| body: Created by Envoy dependency bot | |
| branch: dependency-envoy/build-image/${{ inputs.version || 'latest' }} | |
| committer-name: ${{ env.COMMITTER_NAME }} | |
| committer-email: ${{ env.COMMITTER_EMAIL }} | |
| commit-message: | | |
| deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}` | |
| Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}> | |
| title: 'deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`' | |
| GITHUB_TOKEN: ${{ steps.appauth.outputs.token }} | |
| working-directory: envoy | |
| scheduled: | |
| runs-on: ubuntu-24.04 | |
| if: >- | |
| ${{ | |
| github.repository == 'envoyproxy/envoy' | |
| && (github.event.schedule | |
| || (!contains(github.actor, '[bot]') | |
| && inputs.task == 'check')) | |
| }} | |
| permissions: | |
| contents: read | |
| issues: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| - name: Run dependency checker | |
| run: | | |
| TODAY_DATE=$(date -u -I"date") | |
| export TODAY_DATE | |
| bazel run --config=ci //tools/dependency:check -- -c release_issues --fix | |
| # bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c cves -w error | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |