Check External Dependencies #106

Workflow file for this run

.github/workflows/check-dependencies.yml at 55b12e7

	name: Check External Dependencies

	on:
	schedule:
	- cron: '0 9 * * 1' # Weekly on Monday 9am UTC
	workflow_dispatch:

	permissions: {}

	jobs:
	check-updates:
	runs-on: ubuntu-latest
	permissions:
	contents: write
	pull-requests: write

	steps:
	- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

	- name: Check for dependency updates
	id: check
	run: \|
	CHECKSUMS="shared/download/checksums.json"
	UPDATES=""

	# Check Bitwarden
	CURRENT_BW=$(jq -r '.bitwarden.version' "$CHECKSUMS")
	LATEST_BW=$(curl -s https://api.github.com/repos/bitwarden/clients/releases \| jq -r '[.[] \| select(.tag_name \| startswith("desktop-v"))][0].tag_name' \| sed 's/desktop-v//')
	if [[ "$LATEST_BW" != "$CURRENT_BW" ]]; then
	UPDATES="${UPDATES}bitwarden: $CURRENT_BW -> $LATEST_BW\n"
	echo "bitwarden_update=true" >> $GITHUB_OUTPUT
	echo "bitwarden_version=$LATEST_BW" >> $GITHUB_OUTPUT
	fi

	# Check Homebrew install script
	CURRENT_BREW=$(jq -r '.["brew-install"].version' "$CHECKSUMS")
	LATEST_BREW=$(curl -s https://api.github.com/repos/Homebrew/install/commits/HEAD \| jq -r '.sha' \| head -c 12)
	CURRENT_BREW_SHORT=$(echo "$CURRENT_BREW" \| head -c 12)
	if [[ "$LATEST_BREW" != "$CURRENT_BREW_SHORT" ]]; then
	UPDATES="${UPDATES}brew-install: $CURRENT_BREW_SHORT -> $LATEST_BREW\n"
	echo "brew_update=true" >> $GITHUB_OUTPUT
	echo "brew_commit=$LATEST_BREW" >> $GITHUB_OUTPUT
	fi

	# Check code-server
	CURRENT_CS=$(jq -r '.["code-server"].version' "$CHECKSUMS")
	LATEST_CS=$(curl -s https://api.github.com/repos/coder/code-server/releases/latest \| jq -r '.tag_name' \| sed 's/^v//')
	if [[ -n "$LATEST_CS" && "$LATEST_CS" != "$CURRENT_CS" ]]; then
	UPDATES="${UPDATES}code-server: $CURRENT_CS -> $LATEST_CS\n"
	echo "codeserver_update=true" >> $GITHUB_OUTPUT
	echo "codeserver_version=$LATEST_CS" >> $GITHUB_OUTPUT
	fi

	# Check Surface cert (less frequent changes)
	CURRENT_SURF=$(jq -r '.["surface-cert"].version' "$CHECKSUMS")
	LATEST_SURF=$(curl -s https://api.github.com/repos/linux-surface/linux-surface/commits?path=pkg/keys/surface.cer \| jq -r '.[0].sha' \| head -c 12)
	CURRENT_SURF_SHORT=$(echo "$CURRENT_SURF" \| head -c 12)
	if [[ "$LATEST_SURF" != "$CURRENT_SURF_SHORT" ]]; then
	UPDATES="${UPDATES}surface-cert: $CURRENT_SURF_SHORT -> $LATEST_SURF\n"
	echo "surface_update=true" >> $GITHUB_OUTPUT
	echo "surface_commit=$LATEST_SURF" >> $GITHUB_OUTPUT
	fi

	# Check hotedge
	CURRENT_HE=$(jq -r '.hotedge.version' "$CHECKSUMS")
	LATEST_HE=$(curl -s https://api.github.com/repos/frostyard/hotedge/commits/HEAD \| jq -r '.sha')
	if [[ "$LATEST_HE" != "$CURRENT_HE" ]]; then
	UPDATES="${UPDATES}hotedge: ${CURRENT_HE:0:12} -> ${LATEST_HE:0:12}\n"
	echo "hotedge_update=true" >> $GITHUB_OUTPUT
	echo "hotedge_commit=$LATEST_HE" >> $GITHUB_OUTPUT
	fi

	# Check logomenu
	CURRENT_LM=$(jq -r '.logomenu.version' "$CHECKSUMS")
	LATEST_LM=$(curl -s https://api.github.com/repos/frostyard/logomenu/commits/HEAD \| jq -r '.sha')
	if [[ "$LATEST_LM" != "$CURRENT_LM" ]]; then
	UPDATES="${UPDATES}logomenu: ${CURRENT_LM:0:12} -> ${LATEST_LM:0:12}\n"
	echo "logomenu_update=true" >> $GITHUB_OUTPUT
	echo "logomenu_commit=$LATEST_LM" >> $GITHUB_OUTPUT
	fi

	# Check Microsoft Azure VPN Client
	CURRENT_AZ=$(jq -r '.["microsoft-azurevpnclient"].version' "$CHECKSUMS")
	LATEST_AZ=$(curl -s https://packages.microsoft.com/ubuntu/22.04/prod/pool/main/m/microsoft-azurevpnclient/ \| grep -oP 'microsoft-azurevpnclient_\K[0-9]+\.[0-9]+\.[0-9]+' \| sort -V \| tail -1)
	if [[ -n "$LATEST_AZ" && "$LATEST_AZ" != "$CURRENT_AZ" ]]; then
	UPDATES="${UPDATES}microsoft-azurevpnclient: $CURRENT_AZ -> $LATEST_AZ\n"
	echo "azurevpn_update=true" >> $GITHUB_OUTPUT
	echo "azurevpn_version=$LATEST_AZ" >> $GITHUB_OUTPUT
	fi

	# Check Microsoft Edge Stable
	CURRENT_EDGE=$(jq -r '.["microsoft-edge-stable"].version' "$CHECKSUMS")
	LATEST_EDGE=$(curl -s https://packages.microsoft.com/repos/edge/dists/stable/main/binary-amd64/Packages \| awk '/^Package: microsoft-edge-stable$/,/^$/' \| awk '/^Version:/ {print $2}' \| sort -V \| tail -1)
	if [[ -n "$LATEST_EDGE" && "$LATEST_EDGE" != "$CURRENT_EDGE" ]]; then
	UPDATES="${UPDATES}microsoft-edge-stable: $CURRENT_EDGE -> $LATEST_EDGE\n"
	echo "edge_update=true" >> $GITHUB_OUTPUT
	echo "edge_version=$LATEST_EDGE" >> $GITHUB_OUTPUT
	fi

	if [[ -n "$UPDATES" ]]; then
	echo "has_updates=true" >> $GITHUB_OUTPUT
	echo -e "Updates available:\n$UPDATES"
	else
	echo "has_updates=false" >> $GITHUB_OUTPUT
	echo "All dependencies up to date"
	fi

	- name: Update checksums
	if: steps.check.outputs.has_updates == 'true'
	run: \|
	CHECKSUMS="shared/download/checksums.json"

	if [[ "${{ steps.check.outputs.bitwarden_update }}" == "true" ]]; then
	VER="${{ steps.check.outputs.bitwarden_version }}"
	URL="https://github.com/bitwarden/clients/releases/download/desktop-v${VER}/Bitwarden-${VER}-amd64.deb"
	TMP=$(mktemp)
	curl -fsSL -o "$TMP" "$URL"
	SHA=$(sha256sum "$TMP" \| cut -d' ' -f1)
	jq --arg u "$URL" --arg s "$SHA" --arg v "$VER" \
	'.bitwarden.url=$u \| .bitwarden.sha256=$s \| .bitwarden.version=$v' \
	"$CHECKSUMS" > tmp.json && mv tmp.json "$CHECKSUMS"
	rm -f "$TMP"
	fi

	if [[ "${{ steps.check.outputs.codeserver_update }}" == "true" ]]; then
	VER="${{ steps.check.outputs.codeserver_version }}"
	URL="https://github.com/coder/code-server/releases/download/v${VER}/code-server_${VER}_amd64.deb"
	TMP=$(mktemp)
	curl -fsSL -o "$TMP" "$URL"
	SHA=$(sha256sum "$TMP" \| cut -d' ' -f1)
	jq --arg u "$URL" --arg s "$SHA" --arg v "$VER" \
	'.["code-server"].url=$u \| .["code-server"].sha256=$s \| .["code-server"].version=$v' \
	"$CHECKSUMS" > tmp.json && mv tmp.json "$CHECKSUMS"
	rm -f "$TMP"
	fi

	if [[ "${{ steps.check.outputs.brew_update }}" == "true" ]]; then
	COMMIT="${{ steps.check.outputs.brew_commit }}"
	URL="https://raw.githubusercontent.com/Homebrew/install/${COMMIT}/install.sh"
	TMP=$(mktemp)
	curl -fsSL -o "$TMP" "$URL"
	SHA=$(sha256sum "$TMP" \| cut -d' ' -f1)
	jq --arg u "$URL" --arg s "$SHA" --arg v "$COMMIT" \
	'.["brew-install"].url=$u \| .["brew-install"].sha256=$s \| .["brew-install"].version=$v' \
	"$CHECKSUMS" > tmp.json && mv tmp.json "$CHECKSUMS"
	rm -f "$TMP"
	fi

	if [[ "${{ steps.check.outputs.surface_update }}" == "true" ]]; then
	COMMIT="${{ steps.check.outputs.surface_commit }}"
	URL="https://github.com/linux-surface/linux-surface/raw/${COMMIT}/pkg/keys/surface.cer"
	TMP=$(mktemp)
	curl -fsSL -o "$TMP" "$URL"
	SHA=$(sha256sum "$TMP" \| cut -d' ' -f1)
	jq --arg u "$URL" --arg s "$SHA" --arg v "$COMMIT" \
	'.["surface-cert"].url=$u \| .["surface-cert"].sha256=$s \| .["surface-cert"].version=$v' \
	"$CHECKSUMS" > tmp.json && mv tmp.json "$CHECKSUMS"
	rm -f "$TMP"
	fi

	if [[ "${{ steps.check.outputs.hotedge_update }}" == "true" ]]; then
	COMMIT="${{ steps.check.outputs.hotedge_commit }}"
	URL="https://codeload.github.com/frostyard/hotedge/tar.gz/${COMMIT}"
	TMP=$(mktemp)
	curl -fsSL -o "$TMP" "$URL"
	SHA=$(sha256sum "$TMP" \| cut -d' ' -f1)
	jq --arg u "$URL" --arg s "$SHA" --arg v "$COMMIT" \
	'.hotedge.url=$u \| .hotedge.sha256=$s \| .hotedge.version=$v' \
	"$CHECKSUMS" > tmp.json && mv tmp.json "$CHECKSUMS"
	rm -f "$TMP"
	fi

	if [[ "${{ steps.check.outputs.logomenu_update }}" == "true" ]]; then
	COMMIT="${{ steps.check.outputs.logomenu_commit }}"
	URL="https://codeload.github.com/frostyard/logomenu/tar.gz/${COMMIT}"
	TMP=$(mktemp)
	curl -fsSL -o "$TMP" "$URL"
	SHA=$(sha256sum "$TMP" \| cut -d' ' -f1)
	jq --arg u "$URL" --arg s "$SHA" --arg v "$COMMIT" \
	'.logomenu.url=$u \| .logomenu.sha256=$s \| .logomenu.version=$v' \
	"$CHECKSUMS" > tmp.json && mv tmp.json "$CHECKSUMS"
	rm -f "$TMP"
	fi

	if [[ "${{ steps.check.outputs.azurevpn_update }}" == "true" ]]; then
	VER="${{ steps.check.outputs.azurevpn_version }}"
	URL="https://packages.microsoft.com/ubuntu/22.04/prod/pool/main/m/microsoft-azurevpnclient/microsoft-azurevpnclient_${VER}_amd64.deb"
	TMP=$(mktemp)
	curl -fsSL -o "$TMP" "$URL"
	SHA=$(sha256sum "$TMP" \| cut -d' ' -f1)
	jq --arg u "$URL" --arg s "$SHA" --arg v "$VER" \
	'.["microsoft-azurevpnclient"].url=$u \| .["microsoft-azurevpnclient"].sha256=$s \| .["microsoft-azurevpnclient"].version=$v' \
	"$CHECKSUMS" > tmp.json && mv tmp.json "$CHECKSUMS"
	rm -f "$TMP"
	fi

	if [[ "${{ steps.check.outputs.edge_update }}" == "true" ]]; then
	VER="${{ steps.check.outputs.edge_version }}"
	URL="https://packages.microsoft.com/repos/edge/pool/main/m/microsoft-edge-stable/microsoft-edge-stable_${VER}_amd64.deb"
	TMP=$(mktemp)
	curl -fsSL -o "$TMP" "$URL"
	SHA=$(sha256sum "$TMP" \| cut -d' ' -f1)
	jq --arg u "$URL" --arg s "$SHA" --arg v "$VER" \
	'.["microsoft-edge-stable"].url=$u \| .["microsoft-edge-stable"].sha256=$s \| .["microsoft-edge-stable"].version=$v' \
	"$CHECKSUMS" > tmp.json && mv tmp.json "$CHECKSUMS"
	rm -f "$TMP"
	fi

	- name: Create Pull Request
	if: steps.check.outputs.has_updates == 'true'
	uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # v5
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	commit-message: "chore: update external dependency checksums"
	title: "chore: update external dependency checksums"
	body: \|
	Automated update of pinned external dependencies.

	Please verify the builds work before merging.
	branch: auto-update-checksums
	delete-branch: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Check External Dependencies #106

Workflow file

Check External Dependencies #106

Uh oh!

Workflow file for this run