Update Gem Version Artifacts #992
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Gem Version Artifacts | |
| on: | |
| workflow_run: | |
| workflows: ["Dependabot Gem PR Check"] | |
| types: | |
| - completed | |
| jobs: | |
| update-dependencies: | |
| runs-on: ubuntu-latest | |
| if: >- | |
| github.event.workflow_run.event == 'pull_request' && | |
| github.event.workflow_run.conclusion == 'success' && | |
| github.event.workflow_run.actor.login == 'dependabot[bot]' | |
| # The 'permissions' here apply to the GITHUB_TOKEN, but we'll actually be pushing with the PAT | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Create GitHub Token | |
| id: create-token | |
| uses: actions/create-github-app-token@v2 | |
| with: | |
| app-id: ${{ secrets.GH_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} | |
| owner: block | |
| - name: Checkout Git Repo | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | |
| with: | |
| ref: ${{ github.event.workflow_run.head_branch }} | |
| # Use the PAT for checkout to ensure proper permissions | |
| token: ${{ steps.create-token.outputs.token }} | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@4c24fa5ec04b2e79eb40571b1cee2a0d2b705771 # v1.278.0 | |
| with: | |
| ruby-version: "4.0" | |
| bundler-cache: true | |
| cache-version: 2 | |
| - name: Update RBS collection | |
| run: bundle exec rbs collection update | |
| - name: Update gem version constraints | |
| run: | | |
| bundle config --local deployment false | |
| script/update_gem_constraints | |
| - name: Commit and push if changed | |
| env: | |
| HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} | |
| run: | | |
| if [[ -n "$(git status --porcelain)" ]]; then | |
| git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git config --local user.name "github-actions[bot]" | |
| git add rbs_collection.lock.yaml Gemfile Gemfile.lock *.gemspec | |
| git commit -m "Update gem version artifacts." | |
| # Push using the PAT | |
| git remote set-url origin "https://x-access-token:${{ steps.create-token.outputs.token }}@github.com/${{ github.repository }}.git" | |
| git push origin "HEAD:$HEAD_BRANCH" | |
| fi |