workflows: auto create PRs for license data updates

[Bo98]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

Like Dependabot, but for data/spdx.json.

Currently set up to run every 12 hours, with the commit author being BrewTestBot.

[jonchang]

I think we should instead change brew update_license_data to not pull from HEAD, but only tagged releases. cc @lionellloh for thoughts.

[lionellloh]

I think we should instead change brew update_license_data to not pull from HEAD, but only tagged releases. cc @lionellloh for thoughts.

Hi Jon, I think that's a good idea. Tagged releases should be more reliable than changes made to the HEAD. The change to brew update-license-data should also be fairly simple. I also think that the team maintaining the repository releases quite often.

[dawidd6]

Maybe run it less frequently? Like once per 8 hours?

[jonchang]

With #8023 this could conceivably be as infrequent as once a day?

[dawidd6]

A couple of suggestions but otherwise ok. Nice work!

[jonchang]

Needs a brew man. Is jq available on the hosted runners by default?

[Bo98]

Yes, it is.

[dawidd6]

Let's try it. Good job @Bo98 !

[MikeMcQuaid]

This makes it the opposite of brew man which seems undesirable. Can you explain why they are better being inconsistent?

[Bo98]

Because, for the purposes of the workflow, I want to make sure I am only detecting when there is a change.

If I make it fail on change then I still can't be certain it has changed as it could have failed for other reasons like the download failing, GitHub API having issues, etc.

Making it a success exit code instead means I can be sure that it has downloaded successfully and it really has detected a change.

The use case of the exit code is different here than brew man. The idea is not to fail the workflow here but rather to check the exit code and push a branch if a change is detected. Accurracy of detection is important if you want to prevent the workflow pushing new branches to the repo without any changes.

[MikeMcQuaid]

Ok, makes sense, thanks 👍 . Given that: it might make sense to make brew man (maybe even eventually brew style --fix?) behave the same and similarly be able to auto-open PRs?

[Bo98]

Possibly. The only thing is brew man CI failures are likely caused by the PR in question (and should be fixed in the same PR), unlike outdated spdx.json data, so any new workflow would perhaps not replace the existing CI step like we did here.

There is some argument however that we should have something that sends brew man PRs for commits to Homebrew/bundle, Homebrew/services and Homebrew/test-bot.

[MikeMcQuaid]

All true. Probably worth punting on for now, I guess. Thanks!