build(deps): bump golang.org/x/tools from 0.37.0 to 0.38.0 in /tools #224
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot gomod updates | |
| on: | |
| pull_request_target: | |
| branches: ["main"] | |
| types: [opened, synchronize, reopened] | |
| jobs: | |
| fix: | |
| name: Align gomod versions | |
| runs-on: [ubuntu-24.04] | |
| permissions: | |
| contents: read # content write is through explicit SSH remote in the last step | |
| if: ${{ startsWith(github.event.pull_request.head.ref, 'dependabot/go_modules/')}} | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| ref: ${{github.event.pull_request.head.ref}} | |
| persist-credentials: false | |
| - name: Identify the module being updated | |
| run: | | |
| # Warning: this script must remain in the workflow file | |
| # to avoid running arbitrary code from untrusted PR authors with pull_request_target access. | |
| # | |
| # This script only executes `go get` and `go mod tidy`, | |
| # which are commands in the environment and cannot be overridden by PR changes. | |
| # | |
| # See https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ | |
| cat <<EOF | python3 - "${{github.event.pull_request.head.ref}}" | |
| import sys | |
| from pathlib import Path | |
| parse_branch_name = sys.argv[1].split("/")[2:] | |
| found = False | |
| for i in range(len(parse_branch_name)): | |
| try_module_path = "/".join(parse_branch_name[:i+1]) | |
| if Path(try_module_path).joinpath("go.mod").is_file(): | |
| found = True | |
| local_module_path = try_module_path | |
| dep_full_name = "/".join(parse_branch_name[i+1:]) | |
| break | |
| if not found: | |
| raise Exception(f"Cannot locate local module for {parse_branch_name}") | |
| go_sum_path = Path(local_module_path).joinpath("go.sum") | |
| with go_sum_path.open() as f: | |
| go_sum_lines = f.readlines() | |
| found = False | |
| for line in go_sum_lines: | |
| line_parts = line.split(" ") | |
| if len(line_parts) < 3: | |
| continue | |
| sum_module_name = line_parts[0] | |
| sum_module_version = line_parts[1] | |
| sum_module_full_name = "{}-{}".format(sum_module_name, sum_module_version[1:]) | |
| if sum_module_full_name == dep_full_name: | |
| found = True | |
| dep_name = sum_module_name | |
| dep_version = sum_module_version | |
| break | |
| if not found: | |
| raise Exception(f"Cannot identify the go module being updated") | |
| with open("commands.sh", "w") as f: | |
| for module in [ | |
| "apis", | |
| "client", | |
| "util", | |
| "generator", | |
| "aggregator", | |
| "webhook", | |
| "allinone", | |
| "tests", | |
| "tools", | |
| ]: | |
| f.write(f"pushd {module}\n") | |
| f.write(f"go get {sum_module_name}@{dep_version}\n") | |
| f.write("go mod tidy\n") | |
| f.write(f"popd\n") | |
| EOF | |
| - name: Execute global updates | |
| run: bash -x commands.sh | |
| - run: git diff | |
| - name: Commit changes | |
| run: | | |
| set -x | |
| if ! git diff --exit-code >/dev/null; then | |
| if [[ "$(git log --format=%an -1)" == "github-actions[bot]" ]]; then | |
| echo "go mod tidy is not idempotent and may result in infinite commit loop" | |
| exit 1 | |
| fi | |
| git \ | |
| -c user.name="github-actions[bot]" \ | |
| -c user.email="41898282+github-actions[bot]@users.noreply.github.com" \ | |
| commit -am "build(deps): update other modules after $(git log --format=%h -1)" | |
| git fetch origin | |
| git remote add ssh [email protected]:kubewharf/podseidon | |
| ([[ -d ~/.ssh ]] || mkdir ~/.ssh) && echo "${{secrets.DEPENDABOT_UPDATE_TOKEN}}" >~/.ssh/id_rsa && chmod 400 ~/.ssh/id_rsa | |
| git push ssh HEAD:"${{github.event.pull_request.head.ref}}" | |
| fi |