nifihub/.github/workflows/dependency-check.yml at main · Snowflake-Labs/nifihub · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Dependency Freshness Check

on:
  pull_request:
    paths:
      - 'extensions/**'
      - 'pom.xml'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read
  pull-requests: write

env:
  MAVEN_OPTS: >-
    -Xmx2g
    -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN

jobs:
  detect-bundles:
    runs-on: ubuntu-latest
    outputs:
      bundles: ${{ steps.find-bundles.outputs.bundles }}
      has_bundles: ${{ steps.find-bundles.outputs.has_bundles }}
    steps:
      - name: Checkout Code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Detect Changed Bundles
        id: find-bundles
        run: |
          CHANGED_FILES=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD)
          BUNDLES=()

          for file in $CHANGED_FILES; do
            if [[ "$file" == extensions/* ]]; then
              dir="$file"
              while [[ "$dir" != "extensions" && "$dir" != "." ]]; do
                if [[ -f "$dir/pom.xml" ]] && grep -q '<packaging>pom</packaging>' "$dir/pom.xml" 2>/dev/null; then
                  if grep -q '<modules>' "$dir/pom.xml" 2>/dev/null; then
                    BUNDLES+=("$dir")
                    break
                  fi
                fi
                dir=$(dirname "$dir")
              done
            fi
          done

          UNIQUE_BUNDLES=($(printf '%s\n' "${BUNDLES[@]}" | sort -u))

          if [ ${#UNIQUE_BUNDLES[@]} -eq 0 ]; then
            echo "bundles=[]" >> $GITHUB_OUTPUT
            echo "has_bundles=false" >> $GITHUB_OUTPUT
          else
            JSON=$(printf '%s\n' "${UNIQUE_BUNDLES[@]}" | jq -R . | jq -sc .)
            echo "bundles=$JSON" >> $GITHUB_OUTPUT
            echo "has_bundles=true" >> $GITHUB_OUTPUT
          fi

  check-dependencies:
    needs: detect-bundles
    if: needs.detect-bundles.outputs.has_bundles == 'true'
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        bundle: ${{ fromJson(needs.detect-bundles.outputs.bundles) }}
    name: Dependencies ${{ matrix.bundle }}
    steps:
      - name: Checkout Code
        uses: actions/checkout@v6

      - name: Set up Java 21
        uses: actions/setup-java@v5
        with:
          distribution: 'corretto'
          java-version: '21'
          cache: 'maven'

      - name: Check Dependency Updates
        id: dep-check
        run: |
          RULES_FILE="${{ github.workspace }}/.github/versions-rules.xml"
          BUNDLE="${{ matrix.bundle }}"
          OUTPUT_FILE=$(mktemp)

          ./mvnw versions:display-dependency-updates \
            -f "$BUNDLE/pom.xml" \
            -DprocessDependencyManagement=false \
            -Dversions.outputFile="$OUTPUT_FILE" \
            -DoutputEncoding=UTF-8 \
            -Dmaven.version.rules="file://$RULES_FILE" \
            --no-snapshot-updates \
            --no-transfer-progress \
            --batch-mode || true

          PLUGIN_OUTPUT_FILE=$(mktemp)
          ./mvnw versions:display-plugin-updates \
            -f "$BUNDLE/pom.xml" \
            -Dversions.outputFile="$PLUGIN_OUTPUT_FILE" \
            -DoutputEncoding=UTF-8 \
            -Dmaven.version.rules="file://$RULES_FILE" \
            --no-snapshot-updates \
            --no-transfer-progress \
            --batch-mode || true

          HAS_OUTDATED=false
          BODY=""

          if [ -f "$OUTPUT_FILE" ] && grep -q '\.\.\.' "$OUTPUT_FILE"; then
            HAS_OUTDATED=true
            BODY+="### Outdated Dependencies\n\n"
            BODY+="\`\`\`\n"
            BODY+="$(cat "$OUTPUT_FILE")\n"
            BODY+="\`\`\`\n\n"
          fi

          if [ -f "$PLUGIN_OUTPUT_FILE" ] && grep -q '\.\.\.' "$PLUGIN_OUTPUT_FILE"; then
            HAS_OUTDATED=true
            BODY+="### Outdated Plugins\n\n"
            BODY+="\`\`\`\n"
            BODY+="$(cat "$PLUGIN_OUTPUT_FILE")\n"
            BODY+="\`\`\`\n\n"
          fi

          echo "has_outdated=$HAS_OUTDATED" >> $GITHUB_OUTPUT

          BUNDLE_NAME=$(basename "$BUNDLE")
          COMMENT_FILE="${RUNNER_TEMP}/dep-comment-${BUNDLE_NAME}.md"
          if [ "$HAS_OUTDATED" = "true" ]; then
            echo -e "## :warning: Dependency Freshness: \`$BUNDLE_NAME\`\n" > "$COMMENT_FILE"
            echo -e "The following dependencies or plugins are not using the latest available version.\n" >> "$COMMENT_FILE"
            echo -e "$BODY" >> "$COMMENT_FILE"
            echo -e "> Update these dependencies to their latest versions or add an exclusion rule in \`.github/versions-rules.xml\` if the current version is intentional." >> "$COMMENT_FILE"
          else
            echo -e "## :white_check_mark: Dependency Freshness: \`$BUNDLE_NAME\`\n" > "$COMMENT_FILE"
            echo "All dependencies and plugins are up to date." >> "$COMMENT_FILE"
          fi
          echo "comment_file=$COMMENT_FILE" >> $GITHUB_OUTPUT

      - name: Comment on PR
        if: always() && github.event_name == 'pull_request'
        uses: actions/github-script@v9
        with:
          script: |
            const fs = require('fs');
            const bundleName = require('path').basename('${{ matrix.bundle }}');
            const marker = `Dependency Freshness: \`${bundleName}\``;
            const body = fs.readFileSync('${{ steps.dep-check.outputs.comment_file }}', 'utf8');

            const { data: comments } = await github.rest.issues.listComments({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
            });

            const existing = comments.find(c => c.body && c.body.includes(marker));

            if (existing) {
              await github.rest.issues.updateComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                comment_id: existing.id,
                body,
              });
            } else {
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
                body,
              });
            }

      - name: Fail if Outdated Dependencies Found
        if: steps.dep-check.outputs.has_outdated == 'true'
        run: |
          echo "::error::Outdated dependencies found in ${{ matrix.bundle }}. Update them or add exclusions in .github/versions-rules.xml"
          exit 1