Update vault-plugin-secrets-terraform to v0.10.0 #121
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Plugin update | |
run-name: Update ${{ inputs.plugin }} to v${{ inputs.version }} | |
on: | |
workflow_dispatch: | |
inputs: | |
plugin: | |
description: 'Full name of the plugin, e.g., vault-plugin-auth-kubernetes' | |
required: true | |
type: string | |
branch: | |
description: 'Git branch name to use' | |
required: true | |
type: string | |
version: | |
description: 'Version of the plugin with *NO* "v", e.g., 1.2.3' | |
required: true | |
type: string | |
reviewer: | |
description: 'Reviewer to tag on the PR' | |
required: false | |
type: string | |
jobs: | |
plugin-update: | |
runs-on: ubuntu-latest | |
env: | |
VAULT_BRANCH: ${{ inputs.branch }} | |
REVIEWER: ${{ inputs.reviewer || github.actor }} | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
# We don't use the default token so that checks are executed on the resulting PR | |
# https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow | |
token: ${{ secrets.ELEVATED_GITHUB_TOKEN }} | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764 | |
go-version-file: .go-version | |
- name: Update plugin | |
if: github.repository == 'hashicorp/vault' | |
run: | | |
go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}" | |
go mod tidy | |
- name: Update Enterprise-only plugin | |
if: github.repository == 'hashicorp/vault-enterprise' | |
run: | | |
(cd vault_ent && go get "github.com/hashicorp/${{ inputs.plugin }}@v${{ inputs.version }}" && go mod tidy) | |
go mod tidy | |
- name: Detect changes | |
run: | | |
count=$(git status --porcelain=v1 2>/dev/null | wc -l) | |
if [ "$count" -eq 0 ]; then | |
echo "::error::no updates were made for ${{ inputs.plugin }} with tag v${{ inputs.version }}" | |
exit 1 | |
fi | |
- name: Commit and push | |
run: | | |
git config user.name hc-github-team-secure-vault-ecosystem | |
git config user.email [email protected] | |
git add go.mod go.sum | |
git commit -m "Update ${{ inputs.plugin }} to v${{ inputs.version }}" | |
git push -f origin ${{ github.ref_name }}:"$VAULT_BRANCH" | |
- name: Open pull request if needed | |
id: pr | |
env: | |
GITHUB_TOKEN: ${{secrets.ELEVATED_GITHUB_TOKEN}} | |
# Only open a PR if the branch is not attached to an existing one | |
run: | | |
PR=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number') | |
if [ -z "$PR" ]; then | |
gh pr create \ | |
--head "$VAULT_BRANCH" \ | |
--reviewer "$REVIEWER" \ | |
--assignee "$REVIEWER" \ | |
--title "Update ${{ inputs.plugin }} to v${{ inputs.version }}" \ | |
--body "This PR was generated by a GitHub Action. Full log: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
echo "vault_pr_num=$(gh pr list --head "$VAULT_BRANCH" --json number -q '.[0].number')" >> "$GITHUB_OUTPUT" | |
echo "vault_pr_url=$(gh pr list --head "$VAULT_BRANCH" --json url -q '.[0].url')" >> "$GITHUB_OUTPUT" | |
else | |
echo "::notice::Pull request $PR already exists, won't create a new one." | |
fi | |
- name: Add changelog | |
if: steps.pr.outputs.vault_pr_num != '' | |
run: | | |
PLUGIN="${{ inputs.plugin }}" | |
# plugin type is one of auth/secrets/database | |
PLUGIN_TYPE=$(echo "$PLUGIN" | awk -F- '{print $3}') | |
echo "::debug::plugin type: $PLUGIN_TYPE" | |
# plugin service is the rest of the repo name | |
PLUGIN_SERVICE=$(echo "$PLUGIN" | cut -d- -f 4-) | |
echo "::debug::plugin service: $PLUGIN_SERVICE" | |
echo "\`\`\`release-note:change | |
${PLUGIN_TYPE}/${PLUGIN_SERVICE}: Update plugin to v${{ inputs.version }} | |
\`\`\`" > "changelog/${{ steps.pr.outputs.vault_pr_num }}.txt" | |
git add changelog/ | |
git commit -m "Add changelog" | |
git push origin ${{ github.ref_name }}:"$VAULT_BRANCH" | |
- name: Add labels to Vault PR | |
if: steps.pr.outputs.vault_pr_num != '' | |
env: | |
# this is a different token to the one we have been using that should | |
# allow us to add labels | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
continue-on-error: true | |
run: | | |
gh pr edit "${{ steps.pr.outputs.vault_pr_num }}" \ | |
--add-label "dependencies" \ | |
--repo hashicorp/vault |