05f1ed756b
## What - Pin all GitHub Actions to their specific SHA1 hashes to reduce supply chain attack risk - Replaces version tags with specific commit SHAs - Includes version comments for easier reference - Changes generated with the pinact tool See internal wiki page on supply chain security for further info ## How Used the tool pinact to pin the sha for github actions. ## Review guide <!-- 1. `x.py` 2. `y.py` --> ## User Impact No impact ## Can this PR be safely reverted and rolled back? - [x] YES 💚 - [ ] NO ❌
163 lines
6.8 KiB
YAML
163 lines
6.8 KiB
YAML
name: Bump versions for connectors in a PR
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
pr:
|
|
description: "Pull request number. This PR will be referenced in the changelog line."
|
|
type: number
|
|
required: false
|
|
comment-id:
|
|
description: "Optional. The comment-id of the slash command. Used to update the comment with the status."
|
|
required: false
|
|
|
|
type:
|
|
description: "The type of bump to perform. One of 'major', 'minor', or 'patch'."
|
|
required: false
|
|
default: "patch"
|
|
|
|
changelog:
|
|
description: "Optional. The comment to add to the changelog. If not provided, the PR title will be used."
|
|
required: false
|
|
# If not provided, we'll use the PR title as the changelog
|
|
default: ""
|
|
|
|
# These must be declared, but they are unused and ignored.
|
|
# TODO: Infer 'repo' and 'gitref' from PR number on other workflows, so we can remove these.
|
|
repo:
|
|
description: "Repo (Ignored)"
|
|
required: false
|
|
default: "airbytehq/airbyte"
|
|
gitref:
|
|
description: "Ref (Ignored)"
|
|
required: false
|
|
|
|
run-name: "Bump connector versions in PR: #${{ github.event.inputs.pr }}"
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.inputs.pr }}
|
|
# Cancel any previous runs on the same branch if they are still in progress
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
bump-version:
|
|
name: "Bump version of connectors in this PR"
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- name: Get job variables
|
|
id: job-vars
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
shell: bash
|
|
run: |
|
|
PR_JSON=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.inputs.pr }})
|
|
echo "repo=$(echo "$PR_JSON" | jq -r .head.repo.full_name)" >> $GITHUB_OUTPUT
|
|
echo "branch=$(echo "$PR_JSON" | jq -r .head.ref)" >> $GITHUB_OUTPUT
|
|
echo "pr_title=$(echo "$PR_JSON" | jq -r .title)" >> $GITHUB_OUTPUT
|
|
echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> $GITHUB_OUTPUT
|
|
|
|
# NOTE: We still use a PAT here (rather than a GitHub App) because the workflow needs
|
|
# permissions to add commits to our main repo as well as forks. This will only work on
|
|
# forks if the user installs the app into their fork. Until we document this as a clear
|
|
# path, we will have to keep using the PAT.
|
|
- name: Checkout Airbyte
|
|
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
|
|
with:
|
|
repository: ${{ steps.job-vars.outputs.repo }}
|
|
ref: ${{ steps.job-vars.outputs.branch }}
|
|
fetch-depth: 1
|
|
# Important that token is a PAT so that CI checks are triggered again.
|
|
# Without this we would be forever waiting on required checks to pass.
|
|
token: ${{ secrets.GH_PAT_APPROVINGTON_OCTAVIA }}
|
|
|
|
- name: Append comment with job run link
|
|
# If comment-id is not provided, this will create a new
|
|
# comment with the job run link.
|
|
id: first-comment-action
|
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
|
with:
|
|
comment-id: ${{ github.event.inputs.comment-id }}
|
|
issue-number: ${{ github.event.inputs.pr }}
|
|
body: |
|
|
|
|
> Bump Version job started... [Check job output.][1]
|
|
|
|
[1]: ${{ steps.job-vars.outputs.run-url }}
|
|
|
|
- name: Log changelog source
|
|
run: |
|
|
if [ -n "${{ github.event.inputs.changelog }}" ]; then
|
|
echo "Using user-provided changelog: ${{ github.event.inputs.changelog }}"
|
|
else
|
|
echo "Using PR title as changelog: ${{ steps.job-vars.outputs.pr_title }}"
|
|
fi
|
|
|
|
- name: Run airbyte-ci connectors --modified bump-version
|
|
uses: ./.github/actions/run-airbyte-ci
|
|
continue-on-error: true
|
|
with:
|
|
context: "manual"
|
|
gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }}
|
|
sentry_dsn: ${{ secrets.SENTRY_AIRBYTE_CI_DSN }}
|
|
github_token: ${{ steps.get-app-token.outputs.token }}
|
|
git_repo_url: https://github.com/${{ steps.job-vars.outputs.repo }}.git
|
|
subcommand: |
|
|
connectors --modified bump-version \
|
|
${{ github.event.inputs.type }} \
|
|
"${{ github.event.inputs.changelog != '' && github.event.inputs.changelog || steps.job-vars.outputs.pr_title }}" \
|
|
--pr-number ${{ github.event.inputs.pr }}
|
|
|
|
# This is helpful in the case that we change a previously committed generated file to be ignored by git.
|
|
- name: Remove any files that have been gitignored
|
|
run: git ls-files -i -c --exclude-from=.gitignore | xargs -r git rm --cached
|
|
|
|
# Check for changes in git
|
|
- name: Check for changes
|
|
id: git-diff
|
|
run: |
|
|
git diff --quiet && echo "No changes to commit" || echo "changes=true" >> $GITHUB_OUTPUT
|
|
shell: bash
|
|
|
|
# Commit changes (if any)
|
|
- name: Commit changes
|
|
id: commit-step
|
|
if: steps.git-diff.outputs.changes == 'true'
|
|
run: |
|
|
git config --global user.name "Octavia Squidington III"
|
|
git config --global user.email "octavia-squidington-iii@users.noreply.github.com"
|
|
git add .
|
|
git commit -m "chore: bump-version ${{ github.event.inputs.bump-type }}"
|
|
echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
|
|
|
|
- name: Push changes to '(${{ steps.job-vars.outputs.repo }})'
|
|
if: steps.git-diff.outputs.changes == 'true'
|
|
run: |
|
|
git remote add contributor https://github.com/${{ steps.job-vars.outputs.repo }}.git
|
|
git push contributor HEAD:'${{ steps.job-vars.outputs.branch }}'
|
|
|
|
- name: Append success comment
|
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
|
if: steps.git-diff.outputs.changes == 'true'
|
|
with:
|
|
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
|
|
reactions: hooray
|
|
body: |
|
|
> ✅ Changes applied successfully. (${{ steps.commit-step.outputs.sha }})
|
|
|
|
- name: Append success comment (no-op)
|
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
|
if: steps.git-diff.outputs.changes != 'true'
|
|
with:
|
|
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
|
|
reactions: "-1"
|
|
body: |
|
|
> 🔴 Job completed successfully (no changes, this is sus).
|
|
|
|
- name: Append failure comment
|
|
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
|
|
if: failure()
|
|
with:
|
|
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
|
|
reactions: confused
|
|
body: |
|
|
> 🔴 Job failed.
|