-
Notifications
You must be signed in to change notification settings - Fork 241
CI: Check for dependency updates automatically #2777
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,180 @@ | ||
| name: Bump dependencies | ||
|
|
||
| on: | ||
| # For PR creation: | ||
| workflow_dispatch: | ||
| schedule: | ||
| - cron: '13 8 * * 6' # once a week on Saturdays at 08:13 | ||
|
|
||
| # For branch deletion: | ||
| # We have to use pull_request_target because pull_request does not trigger on closed PRs with merge conflicts: | ||
| # https://github.com/orgs/community/discussions/26304 | ||
| # WARNING: pull_request_target is dangerous as the run can be influenced by the PR origin. | ||
| pull_request_target: | ||
| types: | ||
| - closed | ||
|
|
||
| # For rebasing: | ||
| push: | ||
| branches: [master] | ||
|
|
||
| permissions: | ||
| pull-requests: write | ||
| # The main repository writes are done using a deploy key as we can't grant | ||
| # workflows: permission here, which is required when pushing to .github/workflows. | ||
| # We need basic access for branch deletion anyway: | ||
| contents: write | ||
|
|
||
| jobs: | ||
| create-prs: | ||
| name: Update ${{ matrix.components.name }} if necessary | ||
| if: >- | ||
| github.repository_owner == 'jamulussoftware' && | ||
| github.event_name != 'pull_request_target' | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| components: | ||
| - name: aqt | ||
| # not Changelog-worthy | ||
| get_upstream_version: GH_REPO=miurahr/aqtinstall gh release view --json tagName --jq .tagName | sed -re 's/^v//' | ||
| # The following regexps capture both the *nix and the Windows variable syntax (different case, underscore): | ||
| local_version_regex: (.*AQTINSTALL_?VERSION\s*=\s*"?)([0-9.]*)("?.*) | ||
|
|
||
| - name: Qt6 | ||
| changelog_name: bundled Qt6 | ||
| get_upstream_version: | | ||
| latest_minor="$(curl -s https://download.qt.io/official_releases/qt/ | grep -oP 'href="\K[0-9.]+(?=/")' | sort --reverse --version-sort | head -n1)"; | ||
| curl -s https://download.qt.io/official_releases/qt/"${latest_minor}"/ | grep -oP 'href="\K[0-9.]+(?=/")' | sort --reverse --version-sort | head -n1 | ||
| # The following regex captures both the *nix and the Windows variable syntax (different case, underscore): | ||
| local_version_regex: (.*QT[0-9_]+VERSION\s*=\s*"?)(6\.[0-9.]+)("?.*) | ||
|
|
||
| - name: choco-jack | ||
| changelog_name: bundled JACK (Windows-only) | ||
| get_upstream_version: | | ||
| curl -s -o /dev/null --location --range 0-5 --write-out '%{url_effective}' https://community.chocolatey.org/api/v2/package/jack/ | | ||
| grep -oP '.*/jack\.\K.*(?=\.nupkg)' | ||
| local_version_regex: (.*JackVersion\s*=\s*"?)([0-9.]+)("?.*) | ||
|
|
||
| - name: choco-jom | ||
| # not Changelog-worthy | ||
| get_upstream_version: | | ||
| curl -s -o /dev/null --location --range 0-5 --write-out '%{url_effective}' https://community.chocolatey.org/api/v2/package/jom/ | | ||
| grep -oP 'jom\.\K.*(?=\.nupkg)' | ||
| local_version_regex: (.*JomVersion\s*=\s*"?)([0-9.]+)("?.*) | ||
|
|
||
| - name: NSIS | ||
| changelog_name: Windows Installer base (NSIS) | ||
| get_upstream_version: | | ||
| curl -s -o /dev/null --location --range 0-5 --write-out '%{url_effective}' https://sourceforge.net/projects/nsis/files/latest/download | | ||
| grep -oP '.*/nsis-\K[0-9.]+(?=-setup\.)' | ||
| # This pattern is a bit special as it has to match twice in a single line. | ||
| # Therefore, we have to be very careful to avoid consuming too much pattern space. | ||
| # This is why a positive lookahead is used instead of direct matching: | ||
| local_version_regex: (.*"nsis-|.*\/NSIS.20.\/|\/nsis-)([0-9.]+)(".*|(?=\/nsis-)|\.zip.*) | ||
|
|
||
| - name: ASIO-SDK | ||
| changelog_name: ASIO SDK (Windows-only) | ||
| get_upstream_version: | | ||
| curl -s -o /dev/null --location --range 0-5 --write-out '%{url_effective}' https://www.steinberg.net/asiosdk | | ||
| grep -oP '.*asiosdk_\K.*(?=\.zip)' | ||
| local_version_regex: (.*["\/]asiosdk_)([^"]+?)(".*|\.zip.*) | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| ssh-key: ${{ secrets.BUMP_DEPENDENCIES_SSH_DEPLOY_KEY || 'fail-due-to-missing-ssh-key-as-secret' }} | ||
|
ann0see marked this conversation as resolved.
|
||
| fetch-depth: '0' # we create/compare new branches and therefore require full history | ||
| - env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| set -eu | ||
| files=( .github/{autobuild,workflows}/* windows/*.ps1 ) | ||
| upstream_version="$(${{ matrix.components.get_upstream_version }})" | ||
| local_version="$(perl -nle 'print "$2" if /${{ matrix.components.local_version_regex }}/i' "${files[@]}" | sort --reverse --version-sort | head -n1)" | ||
| if [[ -z "$upstream_version" ]]; then | ||
| echo "failed to extract upstream version" | ||
| exit 1 | ||
| fi | ||
| if [[ -z "$local_version" ]]; then | ||
| echo "failed to extract local version" | ||
| exit 1 | ||
| fi | ||
| if [[ "$upstream_version" == "$local_version" ]]; then | ||
| echo "upstream ${{ matrix.components.name }} (${upstream_version}) matches local ${{ matrix.components.name }} (${local_version})" | ||
| exit 0 | ||
| fi | ||
| echo "upstream ${{ matrix.components.name }} (${upstream_version}) is different than local ${{ matrix.components.name }} (${local_version}), creating PR" | ||
| git config --global user.email "actions@github.com" | ||
| git config --global user.name "github-actions[bot]" | ||
| pr_branch=ci/bump-dependencies/${{ matrix.components.name }} | ||
| git checkout -b "${pr_branch}" | ||
| # sed does not support replacements with overlapping or lookahead patterns as is the case with NSIS. | ||
| # Therefore, use perl instead: | ||
| perl -pe 's/${{ matrix.components.local_version_regex }}/${1}'"${upstream_version}"'${3}/gi' -i "${files[@]}" | ||
| git add . | ||
| title="Build: Update ${{ matrix.components.name }} to ${upstream_version}" | ||
|
ann0see marked this conversation as resolved.
|
||
| pr_title="${title} (Automated PR)" | ||
| existing_pr="$(gh pr list --head "${pr_branch}" --json number --jq '.[].number')" | ||
| git commit -m "${title}" | ||
| if [[ "${existing_pr}" ]]; then | ||
| git fetch origin "${pr_branch}" | ||
| diff_size="$(git diff "remotes/origin/${pr_branch}" HEAD)" | ||
| if [[ -z "${diff_size}" ]]; then | ||
| echo "found existing branch, diff is empty, nothing to do" | ||
| exit 0 | ||
| fi | ||
| fi | ||
| git push origin "+${pr_branch}" | ||
| body="This automated Pull Request updates the used **${{ matrix.components.name }}** version to version **${upstream_version}**."$'\n\n' | ||
| body="${body}This PR was opened by the workflow *${GITHUB_WORKFLOW}* (*${GITHUB_JOB}*)"$'\n\n' | ||
| body="${body}CHANGELOG: " | ||
| if [[ "${{ matrix.components.changelog_name }}" ]]; then | ||
| body="${body}Build: Updated ${{ matrix.components.changelog_name }} to version ${upstream_version}" | ||
| else | ||
| body="${body}SKIP" | ||
| fi | ||
| if [[ $existing_pr ]]; then | ||
| existing_title="$(gh pr view "${existing_pr}" --json title --jq .title)" | ||
| gh pr edit "${existing_pr}" --title "${pr_title}" --body "${body}" | ||
| if [[ "${existing_title}" != "${pr_title}" ]]; then | ||
| # If the title changed, this implies that we are updating the PR for a different version | ||
| # (and not just rebasing it). Therefore, leave a comment to make that transparent: | ||
| gh pr comment "${existing_pr}" --body "PR has been updated for version *${upstream_version}* by the workflow *${GITHUB_WORKFLOW}* (*${GITHUB_JOB}*)." | ||
| fi | ||
| else | ||
| gh pr create --base master --head "${pr_branch}" --title "${pr_title}" --body "${body}" | ||
| echo 'When Github actions create a PR, no workflows/checks (e.g. autobuilds) run.' | ||
| echo 'We do want autobuilds though, therefore, we push a slightly modified commit via the deploy key, which avoids this problem.' | ||
| echo 'We have to wait some time in order to trigger a new event... Waiting 60sec now' | ||
| sleep 60 | ||
| git commit --amend --no-edit | ||
| git push origin "+${pr_branch}" | ||
| fi | ||
|
|
||
| delete-old-pr-branches: | ||
| if: >- | ||
| github.repository_owner == 'jamulussoftware' && | ||
| github.event_name == 'pull_request_target' && | ||
| startsWith(github.event.pull_request.head.label, 'jamulussoftware:ci/bump-dependencies/') | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| # This job runs via pull_request_target. Please check for any security | ||
| # consequences when extending these steps: | ||
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | ||
| - uses: actions/checkout@v3 | ||
| # this checks out the upstream `master` and not the PR branch; this is fine for us | ||
| # as we just need a proper config for git/gh to work with. | ||
| - env: | ||
| pr_branch: ${{ github.event.pull_request.head.ref }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| set -eu | ||
| [[ "${pr_branch}" == ci/bump-dependencies/* ]] || exit 1 | ||
| open_pr_count="$(gh pr list --head "${pr_branch}" --json number --jq '.[].number' | wc -l)" | ||
| if [[ "$open_pr_count" != 0 ]]; then | ||
| echo "Open PRs for ${pr_branch} found, keeping branch" | ||
| exit 0 | ||
| fi | ||
| git push origin ":${pr_branch}" | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.