internal/task: migrate x509 UpdateBundle to GenerateAutoSubmitChange API

The GenerateAutoSubmitChange API is hopefully slightly simpler, but
mostly I'm using this small task as a convenient way to test out both
the real Cloud Build implementation and the fake at a more fine-grained
level than the TestRelease/major test.

As an upside, there are now tests for this task, and the new API won't
create empty CLs just to abandon them when there's nothing to update.
No more of these:

https://go-review.googlesource.com/q/repo:crypto+author:[email protected]+%22x509roots/fallback:+update+bundle%22+is:abandoned

For golang/go#69095.
For golang/go#57792.

Change-Id: I17e78ff0f26b0d5417e65b24a97e10cf7fb74349
Reviewed-on: https://go-review.googlesource.com/c/build/+/651737
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>

internal/task/x509bundle.go

@@ -41,8 +41,8 @@ func (x *BundleNSSRootsTask) NewDefinition() *wf.Definition {
 
 const clTitle = "x509roots/fallback: update bundle"
 
-func (x *BundleNSSRootsTask) UpdateBundle(ctx *wf.TaskContext, reviewers []string) (string, error) {
-	query := fmt.Sprintf(`message:%q status:open owner:[email protected] repo:crypto -age:14d`, clTitle)
+func (x *BundleNSSRootsTask) UpdateBundle(ctx *wf.TaskContext, reviewers []string) (result string, _ error) {
+	query := fmt.Sprintf(`subject:%q status:open owner:[email protected] repo:crypto -age:14d`, clTitle)
 	changes, err := x.Gerrit.QueryChanges(ctx, query)
 	if err != nil {
 		return "", err
@@ -51,26 +51,22 @@ func (x *BundleNSSRootsTask) UpdateBundle(ctx *wf.TaskContext, reviewers []strin
 		return "skipped, existing pending bundle update CL", nil
 	}
 
-	build, err := x.CloudBuild.RunScript(ctx, "cd x509roots && go generate", "crypto", []string{"x509roots/fallback/bundle.go"})
-	if err != nil {
-		return "", err
-	}
-	files, err := buildToOutputs(ctx, x.CloudBuild, build)
-	if err != nil {
-		return "", err
-	}
-	changeInput := gerrit.ChangeInput{
+	changeID, err := x.CloudBuild.GenerateAutoSubmitChange(ctx, gerrit.ChangeInput{
 		Project: "crypto",
-		Subject: fmt.Sprintf("%s\n\nThis is an automated CL which updates the NSS root bundle.", clTitle),
 		Branch:  "master",
-	}
+		Subject: fmt.Sprintf(`%s
+
+This is an automated CL which updates the NSS root bundle.
 
-	changeID, err := x.Gerrit.CreateAutoSubmitChange(ctx, changeInput, reviewers, files)
+[git-generate]
+go generate ./x509roots
+`, clTitle),
+	}, reviewers)
 	if err != nil {
 		return "", err
 	}
 	if changeID == "" {
-		return "no diff", nil
+		return "created no change, regenerating produced no diff", nil
 	}
-	return changeID, nil
+	return fmt.Sprintf("created a change at %s", ChangeLink(changeID)), nil
 }

internal/task/x509bundle_test.go

@@ -0,0 +1,102 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package task_test
+
+import (
+	"context"
+	"flag"
+	"runtime"
+	"testing"
+
+	cloudbuild "cloud.google.com/go/cloudbuild/apiv1/v2"
+	"golang.org/x/build/gerrit"
+	"golang.org/x/build/internal/task"
+	wf "golang.org/x/build/internal/workflow"
+)
+
+func TestUpdateX509Bundle(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("doesn't work on Windows until a fix for https://github.com/rsc/rf/issues/30 lands")
+	}
+	if testing.Short() {
+		t.Skip("not running test that uses internet in short mode")
+	}
+	t.Run("new content", func(t *testing.T) { testUpdateX509Bundle(t, true) })
+	t.Run("old content", func(t *testing.T) { testUpdateX509Bundle(t, false) })
+}
+
+func testUpdateX509Bundle(t *testing.T, newContent bool) {
+	var command string
+	if newContent {
+		command = "cp gen.go new.txt"
+	} else {
+		command = "echo no-op change"
+	}
+	crypto := task.NewFakeRepo(t, "crypto")
+	crypto.Commit(map[string]string{
+		"go.mod": "module golang.org/x/crypto\n",
+		"x509roots/gen.go": `//go:build generate
+//go:generate ` + command + `
+package p`,
+	})
+
+	fakeGerrit := task.NewFakeGerrit(t, crypto)
+	tasks := task.BundleNSSRootsTask{
+		Gerrit:     fakeGerrit,
+		CloudBuild: task.NewFakeCloudBuild(t, fakeGerrit, "", nil),
+	}
+	ctx := &wf.TaskContext{
+		Context: context.Background(),
+		Logger:  &testLogger{t, ""},
+	}
+	got, err := tasks.UpdateBundle(ctx, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var want string
+	if newContent {
+		want = "created a change at https://go.dev/cl/1"
+	} else {
+		want = "created no change, regenerating produced no diff"
+	}
+	if got != want {
+		t.Errorf("UpdateBundle result is unexpected: got %q, want %q", got, want)
+	}
+}
+
+var flagUpdateX509BundleProject = flag.String("update-x509-bundle-project", "", "GCP project for Cloud Build for TestUpdateX509BundleLive")
+
+func TestUpdateX509BundleLive(t *testing.T) {
+	if !testing.Verbose() || flag.Lookup("test.run").Value.String() != "^TestUpdateX509BundleLive$" {
+		t.Skip("not running a live test requiring manual verification if not explicitly requested with go test -v -run=^TestUpdateX509BundleLive$")
+	}
+	if *flagUpdateX509BundleProject == "" {
+		t.Fatalf("-update-x509-bundle-project flag must be set to a non-empty GCP project")
+	}
+
+	cbClient, err := cloudbuild.NewClient(context.Background())
+	if err != nil {
+		t.Fatalf("could not connect to Cloud Build: %v", err)
+	}
+	tasks := task.BundleNSSRootsTask{
+		Gerrit: &task.RealGerritClient{
+			Gitiles: "https://go.googlesource.com",
+			Client:  gerrit.NewClient("https://go-review.googlesource.com", gerrit.NoAuth),
+		},
+		CloudBuild: &task.RealCloudBuildClient{
+			BuildClient:   cbClient,
+			ScriptProject: *flagUpdateX509BundleProject,
+		},
+	}
+	ctx := &wf.TaskContext{
+		Context: context.Background(),
+		Logger:  &testLogger{t, ""},
+	}
+	result, err := tasks.UpdateBundle(ctx, nil)
+	if err != nil {
+		t.Fatal("UpdateBundle:", err)
+	}
+	t.Logf("successfully %s", result)
+}