-
Notifications
You must be signed in to change notification settings - Fork 45
Expand file tree
/
Copy pathaction.yaml
More file actions
270 lines (237 loc) · 11.3 KB
/
Copy pathaction.yaml
File metadata and controls
270 lines (237 loc) · 11.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
# Copyright 2024-2026 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
name: renovate-readiness
description: "Check if Renovate PRs are ready for testing"
inputs:
github_token:
description: "GitHub token for API calls"
required: true
runs:
using: composite
steps:
# Check if PR has the renovate-ready label (manual override)
- name: Check if PR has the ready label
id: check-ready-label
shell: bash
run: |
if [[ "${{ contains(github.event.pull_request.labels.*.name, 'renovate-ready') }}" == "true" ]]; then
echo "PR has the renovate-ready label. Skipping readiness check."
echo "should_process=false" >> $GITHUB_OUTPUT
else
echo "PR does not have the renovate-ready label. Proceeding with readiness check."
echo "should_process=true" >> $GITHUB_OUTPUT
fi
# Process branch name to determine package
- name: Process branch name
id: process-branch
if: steps.check-ready-label.outputs.should_process == 'true'
shell: bash
env:
BRANCH_NAME: ${{ github.head_ref }}
run: |
echo "Branch name: $BRANCH_NAME"
# Remove 'renovate/' prefix if present
if [[ $BRANCH_NAME == renovate/* ]]; then
PACKAGE_NAME=${BRANCH_NAME#renovate/}
echo "Package name after removing prefix: $PACKAGE_NAME"
else
PACKAGE_NAME=$BRANCH_NAME
echo "Branch doesn't have renovate/ prefix, using as is: $PACKAGE_NAME"
fi
# Handle special cases
if [[ "$PACKAGE_NAME" == "pepr" ]]; then
echo "Detected Pepr update"
echo "package=pepr" >> $GITHUB_OUTPUT
echo "is_pepr=true" >> $GITHUB_OUTPUT
echo "needs_comparison=false" >> $GITHUB_OUTPUT
elif [[ "$PACKAGE_NAME" == "support-deps" ]] || [[ "$PACKAGE_NAME" == "iac-support-deps" ]]; then
echo "Detected support dependencies update"
echo "package=$PACKAGE_NAME" >> $GITHUB_OUTPUT
echo "is_support_deps=true" >> $GITHUB_OUTPUT
echo "needs_comparison=false" >> $GITHUB_OUTPUT
elif [[ "$PACKAGE_NAME" == "operator-deps" ]]; then
echo "Detected operator dependencies update"
echo "package=operator-deps" >> $GITHUB_OUTPUT
echo "is_operator_deps=true" >> $GITHUB_OUTPUT
echo "needs_comparison=false" >> $GITHUB_OUTPUT
else
echo "Regular package update: $PACKAGE_NAME"
echo "package=$PACKAGE_NAME" >> $GITHUB_OUTPUT
echo "needs_comparison=true" >> $GITHUB_OUTPUT
fi
# Handle Pepr updates
- name: Handle Pepr update
if: steps.process-branch.outputs.is_pepr == 'true'
shell: bash
env:
GH_TOKEN: ${{ inputs.github_token }}
run: |
# Get Pepr version from package.json
PEPR_VERSION=$(jq -r '.dependencies.pepr' package.json)
echo "Pepr version from package.json: $PEPR_VERSION"
# Get image versions from tasks/create.yaml
IRONBANK_IMAGE_VERSION=$(yq e '.variables[] | select(.name == "REGISTRY1_PEPR_IMAGE") | .default | split(":")[1]' tasks/create.yaml)
IRONBANK_IMAGE_VERSION=${IRONBANK_IMAGE_VERSION#v}
echo "Ironbank image version: $IRONBANK_IMAGE_VERSION"
UNICORN_IMAGE_VERSION=$(yq e '.variables[] | select(.name == "UNICORN_PEPR_IMAGE") | .default | split(":")[1]' tasks/create.yaml)
UNICORN_IMAGE_VERSION=${UNICORN_IMAGE_VERSION#v}
echo "Unicorn image version: $UNICORN_IMAGE_VERSION"
# Check if all three versions are in sync
IRONBANK_MISMATCH=false
UNICORN_MISMATCH=false
UPSTREAM_BEHIND=false
if [[ "$PEPR_VERSION" != "$IRONBANK_IMAGE_VERSION" ]]; then
echo "ERROR: package.json version ($PEPR_VERSION) does not match Ironbank image version ($IRONBANK_IMAGE_VERSION)"
# Check if package.json version is less than image version (upstream is behind)
if printf '%s\n' "$PEPR_VERSION" "$IRONBANK_IMAGE_VERSION" | sort -V | head -n1 | grep -q "^$PEPR_VERSION$" && [[ "$PEPR_VERSION" != "$IRONBANK_IMAGE_VERSION" ]]; then
UPSTREAM_BEHIND=true
else
IRONBANK_MISMATCH=true
fi
fi
if [[ "$PEPR_VERSION" != "$UNICORN_IMAGE_VERSION" ]]; then
echo "ERROR: package.json version ($PEPR_VERSION) does not match Unicorn image version ($UNICORN_IMAGE_VERSION)"
# Check if package.json version is less than image version (upstream is behind)
if printf '%s\n' "$PEPR_VERSION" "$UNICORN_IMAGE_VERSION" | sort -V | head -n1 | grep -q "^$PEPR_VERSION$" && [[ "$PEPR_VERSION" != "$UNICORN_IMAGE_VERSION" ]]; then
UPSTREAM_BEHIND=true
else
UNICORN_MISMATCH=true
fi
fi
# Apply labels and exit if any mismatch
if [[ "$UPSTREAM_BEHIND" == "true" ]] || [[ "$IRONBANK_MISMATCH" == "true" ]] || [[ "$UNICORN_MISMATCH" == "true" ]]; then
echo "Pepr versions are not in sync. Waiting on updates."
gh pr edit ${{ github.event.pull_request.number }} --remove-label "needs-review" || true
if [[ "$UPSTREAM_BEHIND" == "true" ]]; then
echo "Upstream package.json is behind image versions - possible Pepr release issue"
gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on upstream"
gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on ironbank" || true
gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true
else
gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on upstream" || true
if [[ "$IRONBANK_MISMATCH" == "true" ]]; then
gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on ironbank"
else
gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on ironbank" || true
fi
if [[ "$UNICORN_MISMATCH" == "true" ]]; then
gh pr edit ${{ github.event.pull_request.number }} --add-label "waiting on unicorn"
else
gh pr edit ${{ github.event.pull_request.number }} --remove-label "waiting on unicorn" || true
gh pr edit ${{ github.event.pull_request.number }} --add-label "needs-review"
fi
# Handle support dependencies
- name: Handle support dependencies
if: steps.process-branch.outputs.is_support_deps == 'true'
shell: bash
env:
GH_TOKEN: ${{ inputs.github_token }}
run: |
echo "Support dependencies update detected. Needs manual review."
gh pr edit ${{ github.event.pull_request.number }} --add-label "needs-review"
# Fail the job to prevent excessive CI runs of IAC clusters
exit 1
# Handle operator dependencies
- name: Handle operator dependencies
if: steps.process-branch.outputs.is_operator_deps == 'true'
shell: bash
env:
GH_TOKEN: ${{ inputs.github_token }}
run: |
echo "Operator dependencies update detected. Needs manual review."
gh pr edit ${{ github.event.pull_request.number }} --add-label "needs-review"
# Checkout PR branch (sparse checkout of src/<pkg>)
- name: Checkout PR branch
if: steps.process-branch.outputs.needs_comparison == 'true'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.event.pull_request.head.ref }}
path: new
sparse-checkout: |
src/${{ steps.process-branch.outputs.package }}
sparse-checkout-cone-mode: false
# Checkout main branch (sparse checkout of src/<pkg>)
- name: Checkout main branch
if: steps.process-branch.outputs.needs_comparison == 'true'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: main
path: old
sparse-checkout: |
src/${{ steps.process-branch.outputs.package }}
sparse-checkout-cone-mode: false
# Install dependencies
- name: Install dependencies
if: steps.process-branch.outputs.needs_comparison == 'true'
shell: bash
run: |
cd scripts/renovate
npm install
# Extract images and charts from old branch
- name: Extract images and charts from old branch
if: steps.process-branch.outputs.needs_comparison == 'true'
shell: bash
run: |
cd scripts/renovate
npx ts-node getImagesAndCharts.ts $GITHUB_WORKSPACE/old
# Extract images and charts from new branch
- name: Extract images and charts from new branch
if: steps.process-branch.outputs.needs_comparison == 'true'
shell: bash
run: |
cd scripts/renovate
npx ts-node getImagesAndCharts.ts $GITHUB_WORKSPACE/new
# Compare images and charts
- name: Compare images and charts
id: compare
if: steps.process-branch.outputs.needs_comparison == 'true'
shell: bash
run: |
cd scripts/renovate
OUTPUT=$(npx ts-node compareImagesAndCharts.ts $GITHUB_WORKSPACE/old/extract $GITHUB_WORKSPACE/new/extract)
echo "$OUTPUT"
# Extract labels from output
LABELS=$(echo "$OUTPUT" | grep "LABELS=" | cut -d'=' -f2)
echo "labels=$LABELS" >> $GITHUB_OUTPUT
# Check if waiting on labels are present, or this is a helm chart update only
if [[ "$LABELS" == *"waiting on ironbank"* ]] || [[ "$LABELS" == *"waiting on unicorn"* ]] || [[ "$LABELS" == *"helm-chart-only"* ]]; then
echo "waiting=true" >> $GITHUB_OUTPUT
else
echo "waiting=false" >> $GITHUB_OUTPUT
fi
# Apply labels
- name: Apply labels
if: steps.process-branch.outputs.needs_comparison == 'true'
shell: bash
env:
GH_TOKEN: ${{ inputs.github_token }}
run: |
LABELS="${{ steps.compare.outputs.labels }}"
if [[ -n "$LABELS" ]]; then
echo "New labels to apply: $LABELS"
# Get current labels on the PR
CURRENT_LABELS=$(gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name' | tr '\n' ' ')
echo "Current labels: $CURRENT_LABELS"
# Define the managed labels we care about
MANAGED_LABELS=("waiting on upstream" "waiting on ironbank" "waiting on unicorn" "needs-review" "helm-chart-only" "major-helm-update" "major-image-update")
# Remove labels that are currently on the PR but not in the new set
for LABEL in "${MANAGED_LABELS[@]}"; do
if [[ "$CURRENT_LABELS" == *"$LABEL"* ]] && [[ "$LABELS" != *"$LABEL"* ]]; then
echo "Removing outdated label: $LABEL"
gh pr edit ${{ github.event.pull_request.number }} --remove-label "$LABEL" || true
fi
done
# Add the new labels
gh pr edit ${{ github.event.pull_request.number }} --add-label "$LABELS"
fi
# Fail if waiting on images
- name: Fail if waiting on images or helm update only
if: steps.compare.outputs.waiting == 'true'
shell: bash
run: |
echo "PR is waiting on image updates or only contains a helm chart update. Failing job."
exit 1
- name: Cleanup extract folders
if: always()
shell: bash
run: rm -rf $GITHUB_WORKSPACE/old $GITHUB_WORKSPACE/new