-
Notifications
You must be signed in to change notification settings - Fork 2
339 lines (281 loc) · 10.9 KB
/
Copy pathdependencies.yml
File metadata and controls
339 lines (281 loc) · 10.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
name: 🔄 Dependency Management
on:
schedule:
# Run every Monday at 9:00 AM UTC
- cron: '0 9 * * 1'
workflow_dispatch:
inputs:
update_type:
description: 'Type of update to perform'
required: true
default: 'minor'
type: choice
options:
- 'patch'
- 'minor'
- 'major'
- 'all'
permissions:
contents: write
pull-requests: write
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: true
env:
GO_VERSION: "1.24"
jobs:
# ===================================
# Dependency Analysis
# ===================================
analyze:
name: 🔍 Analyze Dependencies
runs-on: ubuntu-latest
timeout-minutes: 15
outputs:
has-updates: ${{ steps.check.outputs.has-updates }}
update-summary: ${{ steps.check.outputs.update-summary }}
steps:
- name: 📂 Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: 🐹 Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: 🔍 Check for dependency updates
id: check
run: |
echo "📋 Current dependencies:" > update_summary.txt
go list -m all >> update_summary.txt
echo "" >> update_summary.txt
echo "🔍 Checking for available updates..." >> update_summary.txt
# Get list of modules that can be updated
go list -u -m all > current_deps.txt
# Check if there are any updates available
if grep -q '\[' current_deps.txt; then
echo "has-updates=true" >> $GITHUB_OUTPUT
echo "✅ Updates available" >> update_summary.txt
grep '\[' current_deps.txt >> update_summary.txt
else
echo "has-updates=false" >> $GITHUB_OUTPUT
echo "ℹ️ No updates available" >> update_summary.txt
fi
# Set update summary for later use
{
echo 'update-summary<<EOF'
cat update_summary.txt
echo EOF
} >> $GITHUB_OUTPUT
- name: 🛡️ Security audit
run: |
echo "" >> update_summary.txt
echo "🛡️ Security audit results:" >> update_summary.txt
# Install govulncheck if not available
go install golang.org/x/vuln/cmd/govulncheck@latest
if govulncheck ./...; then
echo "✅ No known vulnerabilities found" >> update_summary.txt
else
echo "⚠️ Potential vulnerabilities detected" >> update_summary.txt
fi
- name: 📤 Upload analysis results
uses: actions/upload-artifact@v4
with:
name: dependency-analysis
path: |
update_summary.txt
current_deps.txt
retention-days: 7
# ===================================
# Automated Updates
# ===================================
update:
name: 🔄 Update Dependencies
runs-on: ubuntu-latest
timeout-minutes: 20
needs: analyze
if: needs.analyze.outputs.has-updates == 'true' || github.event_name == 'workflow_dispatch'
steps:
- name: 📂 Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: 🐹 Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
cache: true
- name: 🔄 Update dependencies
id: update
run: |
# Create update branch
BRANCH_NAME="deps/auto-update-$(date +%Y%m%d-%H%M%S)"
git checkout -b "$BRANCH_NAME"
echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT
# Backup current go.mod
cp go.mod go.mod.backup
cp go.sum go.sum.backup
UPDATE_TYPE="${{ github.event.inputs.update_type || 'minor' }}"
echo "📋 Update type: $UPDATE_TYPE"
case "$UPDATE_TYPE" in
"patch")
# Update only patch versions
go get -u=patch ./...
;;
"minor"|"")
# Update minor and patch versions (default)
go get -u ./...
;;
"major")
# Update to latest major versions (more risky)
go get -u ./...
go mod tidy
;;
"all")
# Update everything to latest
go get -u ./...
go mod tidy
;;
esac
# Clean up
go mod tidy
# Check if there are actually changes
if git diff --quiet go.mod go.sum; then
echo "No dependency changes found"
echo "has-changes=false" >> $GITHUB_OUTPUT
exit 0
fi
echo "has-changes=true" >> $GITHUB_OUTPUT
# Generate update summary
echo "📋 Dependency updates applied:" > update_changes.txt
echo "" >> update_changes.txt
echo "### Changed dependencies:" >> update_changes.txt
git diff go.mod >> update_changes.txt
echo "" >> update_changes.txt
echo "### go.sum changes:" >> update_changes.txt
git diff --stat go.sum >> update_changes.txt
- name: 🧪 Test updated dependencies
if: steps.update.outputs.has-changes == 'true'
run: |
echo "🧪 Testing with updated dependencies..."
# Download new dependencies
go mod download
# Verify module integrity
go mod verify
# Build project
if ! go build -v ./...; then
echo "❌ Build failed with updated dependencies"
exit 1
fi
# Run tests
if ! go test -v ./...; then
echo "❌ Tests failed with updated dependencies"
exit 1
fi
echo "✅ All tests passed with updated dependencies"
- name: 🛡️ Security check with updates
if: steps.update.outputs.has-changes == 'true'
run: |
echo "🛡️ Running security checks on updated dependencies..."
# Install govulncheck if not available
go install golang.org/x/vuln/cmd/govulncheck@latest
if govulncheck ./...; then
echo "✅ No vulnerabilities found in updated dependencies"
else
echo "⚠️ Potential security issues detected - review required"
fi
- name: 📝 Commit changes
if: steps.update.outputs.has-changes == 'true'
run: |
git config --local user.email "action@github.com"
git config --local user.name "GitHub Action"
git add go.mod go.sum
git commit -m "chore(deps): update Go dependencies
- Update type: ${{ github.event.inputs.update_type || 'minor' }}
- Automated dependency update via GitHub Actions
- All tests passing with updated dependencies
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>"
- name: 🚀 Create Pull Request
if: steps.update.outputs.has-changes == 'true'
uses: peter-evans/create-pull-request@v7
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch: ${{ steps.update.outputs.branch-name }}
title: "🔄 chore(deps): automated dependency updates"
body: |
## 🔄 Automated Dependency Updates
This PR contains automated dependency updates generated by GitHub Actions.
### 📋 Update Details
- **Update Type:** `${{ github.event.inputs.update_type || 'minor' }}`
- **Trigger:** ${{ github.event_name }}
- **Generated:** ${{ github.run_id }}
### 🧪 Validation
- ✅ All dependencies downloaded successfully
- ✅ Module integrity verified
- ✅ Project builds successfully
- ✅ All tests pass
- ✅ Security scan completed
### 📊 Analysis Summary
```
${{ needs.analyze.outputs.update-summary }}
```
### 🔍 Review Checklist
- [ ] Review dependency changes for breaking changes
- [ ] Verify no new security vulnerabilities introduced
- [ ] Check that all tests pass in CI
- [ ] Validate integration tests
---
🤖 This PR was automatically generated by the dependency management workflow.
**Note:** This PR will be automatically updated if new dependency updates become available.
labels: |
dependencies
automated
maintenance
reviewers: M0Rf30
draft: false
# ===================================
# Summary Report
# ===================================
summary:
name: 📊 Dependency Summary
runs-on: ubuntu-latest
timeout-minutes: 5
needs: [analyze, update]
if: always()
steps:
- name: 📥 Download analysis results
if: needs.analyze.outputs.has-updates == 'true'
uses: actions/download-artifact@v4
with:
name: dependency-analysis
- name: 📝 Generate summary report
run: |
echo "## 🔄 Dependency Management Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Trigger:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
echo "**Date:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [[ "${{ needs.analyze.outputs.has-updates }}" == "true" ]]; then
echo "### 📋 Analysis Results" >> $GITHUB_STEP_SUMMARY
echo "- **Updates Available:** ✅ Yes" >> $GITHUB_STEP_SUMMARY
echo "- **Update Job:** ${{ needs.update.result }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [[ -f update_summary.txt ]]; then
echo "### 📊 Update Details" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
cat update_summary.txt >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
fi
else
echo "### 📋 Analysis Results" >> $GITHUB_STEP_SUMMARY
echo "- **Updates Available:** ℹ️ No updates found" >> $GITHUB_STEP_SUMMARY
echo "- **Dependencies:** Up to date" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "### 🔗 Related Links" >> $GITHUB_STEP_SUMMARY
echo "- [Dependency Graph](https://github.com/${{ github.repository }}/network/dependencies)" >> $GITHUB_STEP_SUMMARY
echo "- [Security Advisories](https://github.com/${{ github.repository }}/security/advisories)" >> $GITHUB_STEP_SUMMARY
echo "- [Dependabot Settings](https://github.com/${{ github.repository }}/settings/security_analysis)" >> $GITHUB_STEP_SUMMARY