Update dependencies #250
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update dependencies | |
| on: | |
| schedule: | |
| - cron: '0 11 * * 2' | |
| workflow_dispatch: | |
| inputs: | |
| nerdctl_tag_override: | |
| type: string | |
| description: The tag of nerdctl full archive to update | |
| required: false | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - .github/workflows/update-dependencies.yaml | |
| - .github/workflows/update-linux-dependencies.yaml | |
| - .github/workflows/update-qemu.yaml | |
| - .github/workflows/update-ecr-cred-helper.yaml | |
| - .github/workflows/update-soci.yaml | |
| - bin/update-lima-bundles.sh | |
| - bin/update-container-runtime-full-archive.sh | |
| - bin/update-linux-dependencies.sh | |
| permissions: | |
| contents: read | |
| jobs: | |
| update-deps: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. | |
| # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings | |
| id-token: write | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 | |
| with: | |
| role-to-assume: ${{ secrets.ROLE }} | |
| role-session-name: dependency-upload-session | |
| aws-region: ${{ secrets.REGION }} | |
| - name: Update Lima bundle archive for Finch on macOS | |
| run: bash bin/update-lima-bundles.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }} | |
| - name: Update base OS for Finch on macOS | |
| run: bash bin/update-os-image.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }} | |
| - name: Update rootfs for Finch on Windows | |
| run: bash bin/update-rootfs.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }} | |
| - name: create PR | |
| if: github.event_name != 'pull_request' | |
| uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 | |
| with: | |
| # A Personal Access Token instead of the default `GITHUB_TOKEN` is required | |
| # to trigger the checks (e.g., e2e tests) on the created pull request. | |
| # More info: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#workarounds-to-trigger-further-workflow-runs | |
| # TODO: Use FINCH_BOT_TOKEN instead of GITHUB_TOKEN. | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| signoff: true | |
| title: 'build(deps): Bump finch dependencies' | |
| branch: create-pull-request/bump-finch-dependencies | |
| fetch-latest-nerdctl-tag: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tag: ${{ steps.fetch-tag.outputs.tag }} | |
| steps: | |
| - name: Fetch tag for latest release | |
| id: fetch-tag | |
| env: | |
| OVERRIDE_TAG: ${{ github.event.inputs.nerdctl_tag_override }} | |
| run: | | |
| if [ -n "$OVERRIDE_TAG" ]; then | |
| echo "tag=$OVERRIDE_TAG" >> $GITHUB_OUTPUT | |
| echo "Override tag: $OVERRIDE_TAG" | |
| else | |
| latest_tag="$(\ | |
| curl -s "https://api.github.com/repos/containerd/nerdctl/releases/latest" | \ | |
| grep '"tag_name":' | \ | |
| head -1 | \ | |
| cut -d'"' -f4 \ | |
| )" | |
| echo "tag=$latest_tag" >> $GITHUB_OUTPUT | |
| echo "Latest tag is ${latest_tag}" | |
| fi | |
| update-container-runtime-full-archive: | |
| runs-on: ubuntu-latest | |
| needs: fetch-latest-nerdctl-tag | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| env: | |
| NERDCTL_TAG: ${{ needs.fetch-latest-nerdctl-tag.outputs.tag }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Update container runtime dependencies | |
| run: bash bin/update-container-runtime-full-archive.sh -t "${{ env.NERDCTL_TAG }}" | |
| - name: Create PR | |
| if: github.event_name != 'pull_request' | |
| uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| signoff: true | |
| branch: create-pull-request/update-container-runtime-full-archive-${{ env.NERDCTL_TAG }} | |
| delete-branch: true | |
| title: 'build(deps): update container runtime full archive to nerdctl-${{ env.NERDCTL_TAG }}' | |
| add-paths: deps/container-runtime-full-archive.conf | |
| body: | | |
| Update the container runtime full archive to nerdctl ${{ env.NERDCTL_TAG }} for macOS and Window platforms. | |
| See https://github.com/containerd/nerdctl/releases/tag/${{ env.NERDCTL_TAG }} for more details. | |
| This PR created by [create-pull-request](https://github.com/peter-evans/create-pull-request) must be closed | |
| and reopened manually to trigger automated checks. | |
| update-linux-dependencies: | |
| # Add permissions needed to create a PR | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| uses: ./.github/workflows/update-linux-dependencies.yaml | |
| update-qemu: | |
| # Add permissions needed to create a PR | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| uses: ./.github/workflows/update-qemu.yaml | |
| update-ecr-cred-helper: | |
| # Add permissions needed to create a PR | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| uses: ./.github/workflows/update-ecr-cred-helper.yaml | |
| update-soci: | |
| # Add permissions needed to create a PR | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| uses: ./.github/workflows/update-soci.yaml |