fix(deps): update module golang.org/x/net to v0.33.0 [security] #1674
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Dependency Updates Post-Processing" | |
on: | |
pull_request: | |
paths: | |
- ".github/workflows/dependency-updates-post-processing.yaml" | |
- "src/**/go.mod" | |
- "src/**/go.sum" | |
workflow_dispatch: {} | |
jobs: | |
dependency-updates-post-processing: | |
name: "Dependency Updates Post-Processing" | |
if: "!contains(github.event.pull_request.labels.*.name, 'skip-dependency-postprocessing')" | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
contents: write | |
steps: | |
# We potentially want to add at the end a commit by the author of the most recent | |
# commit in this branch. However github has some protection which prevents workflows | |
# to run in case a commit has been pushed with the default job-specific github-token. | |
# For this case we need to use another one here. | |
# | |
# For more information, see: | |
# <https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow> | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
with: | |
fetch-depth: 0 | |
submodules: true | |
token: ${{ secrets.APP_AUTOSCALER_CI_TOKEN }} # With push token that can trigger new PR jobs | |
- name: Configure git | |
id: configure_git | |
shell: bash | |
run: | | |
#! /usr/bin/env bash | |
set -eu -o pipefail | |
git config --global --add safe.directory "${GITHUB_WORKSPACE}" | |
declare -r commit_author_name="$(git log -1 --pretty=format:'%an')" | |
declare -r commit_author_email="$(git log -1 --pretty=format:'%ae')" | |
declare -r commit_subject="$(git log -1 ${{ github.head_ref }} --pretty=format:'%s')" | |
git config user.name "${commit_author_name}" | |
git config user.email "${commit_author_email}" | |
echo "commit_author_name=${commit_author_name}" >> $GITHUB_OUTPUT | |
echo "commit_subject=${commit_subject}" >> $GITHUB_OUTPUT | |
- name: Install devbox | |
uses: jetify-com/devbox-install-action@a03caf5813591bc882139eba6ae947930a83a427 # v0.11.0 | |
with: | |
enable-cache: 'true' | |
- name: Make devbox shellenv available | |
run: | | |
eval "$(devbox shellenv)" | |
printenv >> $GITHUB_ENV | |
- name: go-mod-tidy and make package-specs | |
shell: bash | |
env: | |
GH_TOKEN: ${{ secrets.APP_AUTOSCALER_CI_TOKEN }} | |
run: | | |
#! /usr/bin/env bash | |
set -eu -o pipefail | |
# We need the subsequent standard-message to determine if the last commit | |
# has already cleaned up everything. In this case this workflow should not | |
# change anything and we exit early. | |
# An alternative would be to use a tag for this. But this does affect the whole | |
# PR instead of just the latest commit. | |
declare -r tidy_message='🤖🦾🛠️ go mod tidy & make package-specs' | |
declare -r commit_author_name="${{steps.configure_git.outputs.commit_author_name}}" | |
declare -r commit_message="${{steps.configure_git.outputs.commit_subject}}" | |
if [[ "${commit_message}" == "${tidy_message}" ]]; then | |
echo 'This commit is already an automatic `go-mod-tidy and make package-specs`! Exiting ...' | |
exit 0 | |
fi | |
# Generated files are needed for `go mod tidy` which is a dependency of the | |
# target `package-specs`. However the generation of them itself already | |
# requires go-modules to be tidied up. So we need to generate the files | |
# before changing `go.mod` and `go.sum`. | |
declare -r current_branch="${{ github.head_ref }}" | |
git checkout 'HEAD~1' | |
make generate-fakes | |
make generate-openapi-generated-clients-and-servers | |
git checkout "${current_branch}" | |
# ⚠️ For this workflow to be successful, the subsequent line must not | |
# trigger again the creation of the generated files. | |
make package-specs | |
make update-uaac-nix-package | |
declare -i -r num_changed_files="$(git status --porcelain | wc --lines)" | |
if ((num_changed_files > 0)) | |
then | |
echo 'Changes to some files were necessary!' | |
git add . | |
git commit --message="${tidy_message}" | |
git pull --rebase=true | |
git push | |
else | |
echo 'No files changed!' | |
fi | |
echo '🏁' |