-
Notifications
You must be signed in to change notification settings - Fork 0
190 lines (166 loc) · 8.17 KB
/
update-provider-locks.yml
File metadata and controls
190 lines (166 loc) · 8.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
name: Update Provider Lock Files
on:
pull_request:
paths:
- "infra/shared/versions.tf"
- "infra/scripts/upgrade_tf_version.sh"
- ".github/workflows/update-provider-locks.yml"
jobs:
update-locks:
runs-on: ubuntu-24.04
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# Use the pull request head ref to ensure we're on the PR branch
ref: ${{ github.head_ref }}
- name: Install `tfupdate` with mise
uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
with:
install_args: tfupdate
- name: Run lock update script
run: |
./infra/scripts/upgrade_tf_version.sh --lock-only
- name: Check for changed files
id: git-check
run: |
# Check if there are any changes
if git diff --quiet && git diff --cached --quiet; then
echo "changed=false" >> "${GITHUB_OUTPUT}"
echo "No changes detected"
else
echo "changed=true" >> "${GITHUB_OUTPUT}"
echo "Changes detected:"
git diff --name-only
fi
- name: Handle Dependabot PR - commit lock files
if: steps.git-check.outputs.changed == 'true' && github.actor == 'dependabot[bot]'
env:
PUSH_REF: ${{ github.head_ref }}
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
# Add only .terraform.lock.hcl files
git add '**/.terraform.lock.hcl'
# Check if there are staged changes
if git diff --cached --quiet; then
echo "No .terraform.lock.hcl files to commit"
else
git commit -m "Update provider lock files"
# Push using the PAT token configured in checkout
git push origin HEAD:"${PUSH_REF}"
fi
- name: Check for uncommitted changes (Dependabot PR)
if: github.actor == 'dependabot[bot]'
run: |
# After committing lock files, check if there are still any changes
if ! git diff --quiet || ! git diff --cached --quiet; then
echo "Error: There are still uncommitted changes after processing lock files:"
git status --porcelain
echo ""
echo "Changed files:"
git diff --name-only
if git diff --cached --quiet; then
echo "No staged changes"
else
echo "Staged changes:"
git diff --cached --name-only
fi
echo ""
echo "This suggests there are changes beyond just .terraform.lock.hcl files that need attention."
exit 1
else
echo "All changes have been properly handled"
fi
- name: Check for missing lock updates (Non-Dependabot PR)
if: steps.git-check.outputs.changed == 'true' && github.actor != 'dependabot[bot]'
env:
COMMENT_MARKER: "<!-- provider-locks: missing updates -->"
GH_TOKEN: ${{ github.token }}
run: |
echo "Error: Provider lock files are out of date!"
echo ""
echo "You have modified infra/shared/versions.tf but the corresponding .terraform.lock.hcl files"
echo "have not been updated. Please run the following command locally and commit the changes:"
echo ""
echo " ./infra/scripts/upgrade_tf_version.sh --lock-only"
echo ""
echo "Changed files detected:"
git status --porcelain
echo ""
git diff --name-only
# Leave a comment on the PR
cat <<EOF > "${{runner.temp}}/pr-comment.md"
> [!CAUTION]
> **Provider lock files are out of date!**
>
> You have modified \`infra/shared/versions.tf\` but the corresponding \`.terraform.lock.hcl\` files
> have not been updated. Please run the following command locally and commit the changes:
>
> \`\`\`bash
> ./infra/scripts/upgrade_tf_version.sh --lock-only
> \`\`\`
${COMMENT_MARKER}
EOF
# Remove any existing comments from this workflow
# shellcheck disable=SC2016 # $ENV is not a shell variable
old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and (.body | endswith($ENV.COMMENT_MARKER + "\n")))) | .[].id')
for comment_id in $old_comment_ids; do
gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}"
done
gh pr comment "${{github.event.pull_request.html_url}}" --body-file "${{runner.temp}}/pr-comment.md"
exit 1
- name: Comment on Dependabot PR success
if: steps.git-check.outputs.changed == 'true' && github.actor == 'dependabot[bot]'
env:
COMMENT_MARKER: "<!-- provider-locks: dependabot updated -->"
GH_TOKEN: ${{ github.token }}
HEAD_REF: ${{ github.head_ref }}
run: |
# Leave a comment on the PR
cat <<EOF > "${{runner.temp}}/pr-comment.md"
> [!NOTE]
> **Provider lock files have been automatically updated**
>
> This Dependabot PR modified \`infra/shared/versions.tf\`, so the corresponding
> \`.terraform.lock.hcl\` files have been automatically updated and committed.
>
> The changes are ready for review and merge.
> [!IMPORTANT]
> The actions have not been run on this PR since the lock files were updated, because GHA won't run \`push\` actions when the commit has been made by a bot.
> To get the CI checks to run, you will need to amend the PR:
> 1. Check out the PR branch locally: \`git checkout ${HEAD_REF}\`
> 2. Pull the latest changes: \`git pull\`
> 3. Make a no-op amendment: \`git commit --amend --no-edit\`
> 4. Push the amended commit: \`git push --force-with-lease\`
>
> This will trigger the CI checks to run with the updated lock files.
> [!WARNING]
> If dependabot has attempted to modify the PR (i.e. if there are new dependency updates available), comment \`@dependabot recreate\` and it'll recreate the PR from scratch (allowing the lock files to be updated correctly).
${COMMENT_MARKER}
EOF
# Remove any existing comments from this workflow
# shellcheck disable=SC2016 # $ENV is not a shell variable
old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and (.body | endswith($ENV.COMMENT_MARKER + "\n")))) | .[].id')
for comment_id in $old_comment_ids; do
gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}"
done
gh pr comment "${{github.event.pull_request.html_url}}" --body-file "${{runner.temp}}/pr-comment.md"
- name: Remove stale comments when no changes needed
if: steps.git-check.outputs.changed == 'false'
env:
COMMENT_MARKER_MISSING: "<!-- provider-locks: missing updates -->"
COMMENT_MARKER_DEPENDABOT: "<!-- provider-locks: dependabot updated -->"
GH_TOKEN: ${{ github.token }}
run: |
# Remove any existing comments from this workflow since no changes are needed
# shellcheck disable=SC2016 # $ENV is not a shell variable
old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and ((.body | endswith($ENV.COMMENT_MARKER_MISSING + "\n")) or (.body | endswith($ENV.COMMENT_MARKER_DEPENDABOT + "\n"))))) | .[].id')
for comment_id in $old_comment_ids; do
echo "Removing stale comment: $comment_id"
gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}"
done
echo "No provider lock updates needed - removed any stale comments"