Skip to content

Envoy/dependency

Envoy/dependency #394

name: Envoy/dependency
permissions:
contents: read
on:
schedule:
- cron: '0 8 * * *'
workflow_dispatch:
inputs:
task:
description: Select a task
required: true
default: bazel
type: choice
options:
- bazel
- bazel-api
- build-image
- check
dependency:
description: Dependency to update (if applicable)
version:
description: Version to set (optional)
pr:
type: boolean
default: true
pr-message:
description: Additional message for PR, eg to fix an issue (optional)
concurrency:
group: ${{ github.head_ref || github.run_id }}-${{ github.workflow }}
cancel-in-progress: true
env:
COMMITTER_NAME: dependency-envoy[bot]
COMMITTER_EMAIL: 148525496+dependency-envoy[bot]@users.noreply.github.com
jobs:
update-bazel:
if: >-
${{
github.event_name == 'workflow_dispatch'
&& startsWith(inputs.task, 'bazel')
}}
name: >
Update dep
(${{ inputs.pr && 'PR/' || '' }}
${{ inputs.task == 'bazel' && 'bazel' || 'bazel/api' }}
/${{ inputs.dependency }}
/${{ inputs.version }})
runs-on: ubuntu-22.04
steps:
- id: appauth
name: Appauth
uses: envoyproxy/toolshed/gh-actions/[email protected]
with:
app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }}
key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }}
- id: checkout
name: Checkout Envoy repository
uses: envoyproxy/toolshed/gh-actions/github/[email protected]
with:
token: ${{ steps.appauth.outputs.token }}
- uses: envoyproxy/toolshed/gh-actions/[email protected]
id: update
name: Update dependency (${{ inputs.dependency }})
with:
input: |
dependency: ${{ inputs.dependency }}
task: ${{ inputs.task }}
version: "${{ inputs.version }}"
input-format: yaml
filter: |
.version as $version
| .dependency as $dependency
| .task as $task
| (try ($version | validate::sha(40) | .[:7])
catch $version) as $version_short
| {}
| if $task == "bazel" then
.
| .task = "bazel"
| .target = "update"
else
.
| .task = "api/bazel"
| .target = "api-update"
end
| .task as $task
| .target as $target
| ("
echo \"Updating(\($task)): \($dependency) -> \($version_short)\"
bazel run --config=ci //bazel:\($target) \($dependency) \($version)
OUTPUT=\($version_short)
" | bash::output)
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: envoyproxy/toolshed/gh-actions/upload/[email protected]
name: Upload diff
with:
name: ${{ inputs.dependency }}-${{ steps.update.outputs.output }}
- name: Create a PR
if: ${{ inputs.pr }}
uses: envoyproxy/toolshed/gh-actions/github/[email protected]
with:
base: main
body: |
Created by Envoy dependency bot for @${{ github.actor }}
${{ inputs.pr-message }}
branch: >-
dependency/${{ inputs.task }}/${{ inputs.dependency }}/${{ steps.update.outputs.output }}
commit-message: |
${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}` -> ${{ steps.update.outputs.output }}
Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>
committer-name: ${{ env.COMMITTER_NAME }}
committer-email: ${{ env.COMMITTER_EMAIL }}
title: >-
${{ inputs.task == 'bazel' && 'deps' || 'deps/api' }}: Bump `${{ inputs.dependency }}`
-> ${{ steps.update.outputs.output }}
GITHUB_TOKEN: ${{ steps.appauth.outputs.token }}
update-build-image:
if: >-
${{
github.event_name == 'workflow_dispatch'
&& github.event.inputs.task == 'build-image'
}}
name: Update build image (PR)
runs-on: ubuntu-22.04
steps:
- id: appauth
name: Appauth
uses: envoyproxy/toolshed/gh-actions/[email protected]
with:
app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }}
key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }}
- uses: envoyproxy/toolshed/gh-actions/github/[email protected]
id: checkout
name: Checkout Envoy repository
with:
config: |
path: envoy
fetch-depth: 0
token: ${{ steps.appauth.outputs.token }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
name: Checkout Envoy build tools repository
with:
repository: envoyproxy/envoy-build-tools
path: build-tools
fetch-depth: 0
- run: |
shas=(
tag
sha
mobile-sha
gcr-sha)
for sha in "${shas[@]}"; do
current_sha=$(bazel run --config=ci //tools/dependency:build-image-sha "$sha")
echo "${sha}=${current_sha}" >> "$GITHUB_OUTPUT"
done
id: current
name: Current SHAs
working-directory: envoy
- run: |
if [[ -z "$CONTAINER_TAG" ]]; then
# get current build image version
CONTAINER_TAG=$(git log -1 --pretty=format:"%H" "./docker")
fi
echo "tag=${CONTAINER_TAG}" >> "$GITHUB_OUTPUT"
echo "tag_short=${CONTAINER_TAG::7}" >> "$GITHUB_OUTPUT"
env:
CONTAINER_TAG: ${{ inputs.version }}
id: build-tools
name: Build image SHA
working-directory: build-tools
- name: Check Docker SHAs
id: build-images
uses: envoyproxy/toolshed/gh-actions/docker/[email protected]
with:
images: |
sha: envoyproxy/envoy-build-ubuntu:${{ steps.build-tools.outputs.tag }}
mobile-sha: envoyproxy/envoy-build-ubuntu:mobile-${{ steps.build-tools.outputs.tag }}
gcr-sha: gcr.io/envoy-ci/envoy-build:${{ steps.build-tools.outputs.tag }}
- run: |
SHA_REPLACE=(
"$CURRENT_ENVOY_TAG:$ENVOY_TAG"
"$CURRENT_ENVOY_SHA:${{ fromJSON(steps.build-images.outputs.shas).sha }}"
"$CURRENT_ENVOY_MOBILE_SHA:${{ fromJSON(steps.build-images.outputs.shas).mobile-sha }}"
"$CURRENT_ENVOY_GCR_SHA:${{ fromJSON(steps.build-images.outputs.shas).gcr-sha }}")
echo "replace=${SHA_REPLACE[*]}" >> "$GITHUB_OUTPUT"
name: Find SHAs to replace
id: shas
env:
ENVOY_TAG: ${{ steps.build-tools.outputs.tag }}
CURRENT_ENVOY_TAG: ${{ steps.current.outputs.tag }}
CURRENT_ENVOY_SHA: ${{ steps.current.outputs.sha }}
CURRENT_ENVOY_MOBILE_SHA: ${{ steps.current.outputs.mobile-sha }}
CURRENT_ENVOY_GCR_SHA: ${{ steps.current.outputs.gcr-sha }}
- run: |
echo "${SHA_REPLACE}" | xargs bazel run --config=ci @envoy_toolshed//sha:replace "${PWD}"
env:
SHA_REPLACE: ${{ steps.shas.outputs.replace }}
name: Update SHAs
working-directory: envoy
- name: Create a PR
uses: envoyproxy/toolshed/gh-actions/github/[email protected]
with:
base: main
body: Created by Envoy dependency bot
branch: dependency-envoy/build-image/latest
committer-name: ${{ env.COMMITTER_NAME }}
committer-email: ${{ env.COMMITTER_EMAIL }}
commit-message: |
deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`
Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>
title: 'deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`'
GITHUB_TOKEN: ${{ steps.appauth.outputs.token }}
working-directory: envoy
scheduled:
runs-on: ubuntu-22.04
if: >-
${{
github.repository == 'envoyproxy/envoy'
&& (github.event.schedule
|| (!contains(github.actor, '[bot]')
&& inputs.task == 'check'))
}}
permissions:
contents: read
issues: write
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run dependency checker
run: |
TODAY_DATE=$(date -u -I"date")
export TODAY_DATE
bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c release_issues --fix
bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c cves -w error
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}