Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make pre-release integration PRs #3370

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+66 −57
Open

Make pre-release integration PRs #3370

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
53cfe22
use reusable dep update action
wagoodman Oct 22, 2024
bac1cd3
use workflow that takes multiple repo
wagoodman Oct 22, 2024
1d41c90
fix mispelling
wagoodman Nov 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/actions/bootstrap/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ inputs:
description: "Download test fixture cache from OCI and github actions"
required: true
default: "false"
tools:
description: "whether to install tools"
default: "true"
bootstrap-apt-packages:
description: "Space delimited list of tools to install via apt"
default: "libxml2-utils"
Expand All @@ -32,6 +35,7 @@ runs:
go-version: ${{ inputs.go-version }}

- name: Restore tool cache
if: inputs.tools == 'true'
id: tool-cache
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
with:
Expand All @@ -40,6 +44,7 @@ runs:

- name: Install project tools
shell: bash
if: inputs.tools == 'true'
run: make tools

- name: Install go dependencies
Expand Down
49 changes: 49 additions & 0 deletions .github/workflows/update-anchore-dependencies.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: PR to update Anchore dependencies
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this workflow just goes away, and there's a different workflow to run grype/validations.yml against a syft change in a syft PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The goal is to open these pre-release PRs as integration branches in all repos during a release day, starting with pointing at integration branches for all dependencies with the PR in a draft state, then once releases start (after all pre-release PRs are green) we bump all dependencies to released versions and promote the PR from draft to mergable.

on:
workflow_dispatch:
inputs:
repos:
description: "List of dependencies to update"
required: true
type: string

permissions:
contents: read

jobs:
update:
runs-on: ubuntu-latest
if: github.repository_owner == 'anchore' # only run for main repo (not forks)
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1

- name: Bootstrap environment
uses: ./.github/actions/bootstrap
with:
tools: false
bootstrap-apt-packages: ""

- name: Update dependencies
id: update
uses: anchore/workflows/.github/actions/update-go-dependency@add-dep-update
with:
repos: ${{ github.event.inputs.repos }}

- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0
id: generate-token
with:
app_id: ${{ secrets.TOKEN_APP_ID }}
private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}

- uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f #v7.0.5
with:
signoff: true
delete-branch: true
draft: ${{ steps.update.outputs.draft }}
# do not change this branch, as other workflows depend on it
branch: auto/integration
labels: dependencies,pre-release
commit-message: "chore(deps): update anchore dependencies"
title: "chore(deps): update anchore dependencies"
body: ${{ steps.update.outputs.changelog }}
token: ${{ steps.generate-token.outputs.token }}
57 changes: 0 additions & 57 deletions .github/workflows/update-stereoscope-release.yml
View file
Open in desktop

This file was deleted.

12 changes: 12 additions & 0 deletions Taskfile.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ vars:
ORAS: "{{ .TOOL_DIR }}/oras"
YQ: "{{ .TOOL_DIR }}/yq"
TASK: "{{ .TOOL_DIR }}/task"
GH: "{{ .TOOL_DIR }}/gh"

# used for changelog generation
CHANGELOG: CHANGELOG.md
Expand Down Expand Up @@ -132,6 +133,17 @@ tasks:
- "{{ .TMP_DIR }}"
cmd: "mkdir -p {{ .TMP_DIR }}"

## Dependency tasks #################################

update-anchore-dependencies:
desc: Update Anchore dependencies
deps: [tools]
requires:
vars:
- FROM
cmd: |
{{ .GH }} workflow run update-anchore-dependencies.yml -f repos="github.com/anchore/stereoscope@{{ .FROM }}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this task be used for anything? Generally, I think the dependencies would be updated by dependabot once an upstream project has a new version released. If I'm making a change in syft, here, I would be most interested in testing this specific change across the downstream projects, namely: Grype.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when there are releases, yes. But this is also used to control integration branches too (update to commits without releases), something that dependabot can't do. This mechanism would happen to be used for both integration and main though during release trains.


## Static analysis tasks #################################

format:
Expand Down
Loading