Plugin update check #6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| workflow_dispatch: | |
| inputs: | |
| repo: | |
| type: string | |
| description: the plugin repo that is updated (ex. vault-plugin-database-snowflake) | |
| required: true | |
| sha: | |
| type: string | |
| description: the hash of the plugin repo commit to use | |
| required: true | |
| plugin_branch: | |
| type: string | |
| description: the name of the plugin branch | |
| required: true | |
| jobs: | |
| plugin-update-check: | |
| runs-on: ubuntu-latest | |
| env: | |
| # In the case of a curl call, the input json will look like: | |
| # e.g., | |
| # { | |
| # "ref": "some-branch", | |
| # "inputs": { | |
| # "sha":"abcdef", | |
| # "repo":"vault-plugin-database-snowflake" | |
| # } | |
| # } | |
| COMMIT_SHA: "${{inputs.sha}}" | |
| PLUGIN_REPO: "${{inputs.repo}}" | |
| PLUGIN_BRANCH: "${{inputs.plugin_branch}}" | |
| VAULT_BRANCH: "auto-plugin-update/${{inputs.repo}}/${{inputs.sha}}" | |
| RUN_ID: "${{github.run_id}}" | |
| steps: | |
| - run: echo "would use $COMMIT_SHA of $PLUGIN_REPO" | |
| # checkout | |
| - uses: actions/checkout@v3 # should be a sha, but eh | |
| with: | |
| # We don't use the default token so that checks are executed on the resulting PR | |
| # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow | |
| token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
| # activate go | |
| - uses: actions/setup-go@v4 | |
| - name: update plugin | |
| run: | | |
| go get "github.com/hashicorp/$PLUGIN_REPO@$COMMIT_SHA" | |
| go mod tidy | |
| - name: detect changes | |
| id: changes | |
| run: | | |
| echo "count=$(git status --porcelain=v1 2>/dev/null | wc -l)" >> "$GITHUB_OUTPUT" | |
| - name: commit/push | |
| if: steps.changes.outputs.count > 0 | |
| run: | | |
| git config user.name hc-github-team-secure-vault-ecosystem | |
| git config user.email [email protected] | |
| git add . | |
| git commit -m "Automated dependency upgrades" | |
| git push -f origin ${{ github.ref_name }}:"$VAULT_BRANCH" | |
| - name: Open pull request if needed | |
| if: steps.changes.outputs.count > 0 | |
| env: | |
| GITHUB_TOKEN: ${{secrets.ELEVATED_GITHUB_TOKEN}} | |
| # Only open a PR if the branch is not attached to an existing one | |
| run: | | |
| PR=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number') | |
| if [ -z "$PR" ]; then | |
| # call the script to create the plugin update PR on Vault | |
| ./.github/scripts/plugin-helper-gh-pr-create.sh | |
| else | |
| echo "Pull request already exists, won't create a new one." | |
| exit 1 | |
| fi |