Envoy/dependency #218

Workflow file for this run

.github/workflows/envoy-dependency.yml at d2646a3

	name: Envoy/dependency

	permissions:
	contents: read

	on:
	schedule:
	- cron: '0 8 * * *'
	workflow_dispatch:
	inputs:
	task:
	description: Select a task
	required: true
	default: bazel
	type: choice
	options:
	- bazel
	- bazel-api
	- build-image
	- check
	dependency:
	description: Dependency to update (if applicable)
	version:
	description: Version to set (optional)
	pr:
	type: boolean
	default: true
	pr-message:
	description: Additional message for PR, eg to fix an issue (optional)

	concurrency:
	group: ${{ github.head_ref \|\| github.run_id }}-${{ github.workflow }}
	cancel-in-progress: true

	env:
	COMMITTER_NAME: dependency-envoy[bot]
	COMMITTER_EMAIL: 148525496+dependency-envoy[bot]@users.noreply.github.com

	jobs:
	update-bazel:
	if: >-
	${{
	github.event_name == 'workflow_dispatch'
	&& startsWith(inputs.task, 'bazel')
	}}
	name: >
	Update dep
	(${{ inputs.pr && 'PR/' \|\| '' }}
	${{ inputs.task == 'bazel' && 'bazel' \|\| 'bazel/api' }}
	/${{ inputs.dependency }}
	/${{ inputs.version }})
	runs-on: ubuntu-22.04
	steps:
	- id: appauth
	name: Appauth
	uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.2.30
	with:
	app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }}
	key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }}
	- id: checkout
	name: Checkout Envoy repository
	uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.2.30
	with:
	token: ${{ steps.appauth.outputs.token }}
	- uses: envoyproxy/toolshed/gh-actions/bson@actions-v0.2.30
	id: update
	name: Update dependency (${{ inputs.dependency }})
	with:
	input: \|
	dependency: ${{ inputs.dependency }}
	task: ${{ inputs.task }}
	version: "${{ inputs.version }}"
	input-format: yaml
	filter: \|
	.version as $version
	\| .dependency as $dependency
	\| .task as $task
	\| (try ($version \| validate::sha(40) \| .[:7])
	catch $version) as $version_short
	\| {}
	\| if $task == "bazel" then
	.
	\| .task = "bazel"
	\| .target = "update"
	else
	.
	\| .task = "api/bazel"
	\| .target = "api-update"
	end
	\| .task as $task
	\| .target as $target
	\| ("
	echo \"Updating(\($task)): \($dependency) -> \($version_short)\"
	bazel run --config=ci //bazel:\($target) \($dependency) \($version)
	OUTPUT=\($version_short)
	" \| bash::output)
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- uses: envoyproxy/toolshed/gh-actions/upload/diff@actions-v0.2.30
	name: Upload diff
	with:
	name: ${{ inputs.dependency }}-${{ steps.update.outputs.output }}
	- name: Create a PR
	if: ${{ inputs.pr }}
	uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.2.30
	with:
	base: main
	body: \|
	Created by Envoy dependency bot for @${{ github.actor }}

	${{ inputs.pr-message }}
	branch: >-
	dependency/${{ inputs.task }}/${{ inputs.dependency }}/${{ steps.update.outputs.output }}
	commit-message: \|
	${{ inputs.task == 'bazel' && 'deps' \|\| 'deps/api' }}: Bump `${{ inputs.dependency }}` -> ${{ steps.update.outputs.output }}

	Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>
	committer-name: ${{ env.COMMITTER_NAME }}
	committer-email: ${{ env.COMMITTER_EMAIL }}
	title: >-
	${{ inputs.task == 'bazel' && 'deps' \|\| 'deps/api' }}: Bump `${{ inputs.dependency }}`
	-> ${{ steps.update.outputs.output }}
	GITHUB_TOKEN: ${{ steps.appauth.outputs.token }}

	update-build-image:
	if: >-
	${{
	github.event_name == 'workflow_dispatch'
	&& github.event.inputs.task == 'build-image'
	}}
	name: Update build image (PR)
	runs-on: ubuntu-22.04
	steps:
	- id: appauth
	name: Appauth
	uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.2.30
	with:
	app_id: ${{ secrets.ENVOY_CI_DEP_APP_ID }}
	key: ${{ secrets.ENVOY_CI_DEP_APP_KEY }}
	- uses: envoyproxy/toolshed/gh-actions/github/checkout@actions-v0.2.30
	id: checkout
	name: Checkout Envoy repository
	with:
	config: \|
	path: envoy
	fetch-depth: 0
	token: ${{ steps.appauth.outputs.token }}
	- uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
	name: Checkout Envoy build tools repository
	with:
	repository: envoyproxy/envoy-build-tools
	path: build-tools
	fetch-depth: 0
	- run: \|
	shas=(
	tag
	sha
	mobile-sha
	gcr-sha)
	for sha in "${shas[@]}"; do
	current_sha=$(bazel run --config=ci //tools/dependency:build-image-sha "$sha")
	echo "${sha}=${current_sha}" >> "$GITHUB_OUTPUT"
	done
	id: current
	name: Current SHAs
	working-directory: envoy
	- run: \|
	if [[ -z "$CONTAINER_TAG" ]]; then
	# get current build image version
	CONTAINER_TAG=$(git log -1 --pretty=format:"%H" "./docker")
	fi
	echo "tag=${CONTAINER_TAG}" >> "$GITHUB_OUTPUT"
	echo "tag_short=${CONTAINER_TAG::7}" >> "$GITHUB_OUTPUT"
	env:
	CONTAINER_TAG: ${{ inputs.version }}
	id: build-tools
	name: Build image SHA
	working-directory: build-tools

	- name: Check Docker SHAs
	id: build-images
	uses: envoyproxy/toolshed/gh-actions/docker/shas@actions-v0.2.30
	with:
	images: \|
	sha: envoyproxy/envoy-build-ubuntu:${{ steps.build-tools.outputs.tag }}
	mobile-sha: envoyproxy/envoy-build-ubuntu:mobile-${{ steps.build-tools.outputs.tag }}
	gcr-sha: gcr.io/envoy-ci/envoy-build:${{ steps.build-tools.outputs.tag }}

	- run: \|
	SHA_REPLACE=(
	"$CURRENT_ENVOY_TAG:$ENVOY_TAG"
	"$CURRENT_ENVOY_SHA:${{ fromJSON(steps.build-images.outputs.shas).sha }}"
	"$CURRENT_ENVOY_MOBILE_SHA:${{ fromJSON(steps.build-images.outputs.shas).mobile-sha }}"
	"$CURRENT_ENVOY_GCR_SHA:${{ fromJSON(steps.build-images.outputs.shas).gcr-sha }}")
	echo "replace=${SHA_REPLACE[*]}" >> "$GITHUB_OUTPUT"
	name: Find SHAs to replace
	id: shas
	env:
	ENVOY_TAG: ${{ steps.build-tools.outputs.tag }}
	CURRENT_ENVOY_TAG: ${{ steps.current.outputs.tag }}
	CURRENT_ENVOY_SHA: ${{ steps.current.outputs.sha }}
	CURRENT_ENVOY_MOBILE_SHA: ${{ steps.current.outputs.mobile-sha }}
	CURRENT_ENVOY_GCR_SHA: ${{ steps.current.outputs.gcr-sha }}
	- run: \|
	echo "${SHA_REPLACE}" \| xargs bazel run --config=ci @envoy_toolshed//sha:replace "${PWD}"
	env:
	SHA_REPLACE: ${{ steps.shas.outputs.replace }}
	name: Update SHAs
	working-directory: envoy
	- name: Create a PR
	uses: envoyproxy/toolshed/gh-actions/github/pr@actions-v0.2.30
	with:
	base: main
	body: Created by Envoy dependency bot
	branch: dependency-envoy/build-image/latest
	committer-name: ${{ env.COMMITTER_NAME }}
	committer-email: ${{ env.COMMITTER_EMAIL }}
	commit-message: \|
	deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`

	Signed-off-by: ${{ env.COMMITTER_NAME }} <${{ env.COMMITTER_EMAIL }}>
	title: 'deps: Bump build images -> `${{ steps.build-tools.outputs.tag_short }}`'
	GITHUB_TOKEN: ${{ steps.appauth.outputs.token }}
	working-directory: envoy

	scheduled:
	runs-on: ubuntu-22.04
	if: >-
	${{
	github.repository == 'envoyproxy/envoy'
	&& (github.event.schedule
	\|\| (!contains(github.actor, '[bot]')
	&& inputs.task == 'check'))
	}}
	permissions:
	contents: read
	issues: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
	- name: Run dependency checker
	run: \|
	TODAY_DATE=$(date -u -I"date")
	export TODAY_DATE
	bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c release_issues --fix
	bazel run --config=ci //tools/dependency:check --action_env=TODAY_DATE -- -c cves -w error
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Envoy/dependency #218

Workflow file

Envoy/dependency #218

Jobs

Run details

Workflow file for this run