Bump the actions-all-dependencies group across 1 directory with 2 updates #164
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Provider Lock Files | |
| on: | |
| pull_request: | |
| paths: | |
| - "infra/shared/versions.tf" | |
| - "infra/scripts/upgrade_tf_version.sh" | |
| - ".github/workflows/update-provider-locks.yml" | |
| jobs: | |
| update-locks: | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| # Use the pull request head ref to ensure we're on the PR branch | |
| ref: ${{ github.head_ref }} | |
| - name: Install `tfupdate` with mise | |
| uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1 | |
| with: | |
| install_args: tfupdate | |
| - name: Run lock update script | |
| run: | | |
| ./infra/scripts/upgrade_tf_version.sh --lock-only | |
| - name: Check for changed files | |
| id: git-check | |
| run: | | |
| # Check if there are any changes | |
| if git diff --quiet && git diff --cached --quiet; then | |
| echo "changed=false" >> "${GITHUB_OUTPUT}" | |
| echo "No changes detected" | |
| else | |
| echo "changed=true" >> "${GITHUB_OUTPUT}" | |
| echo "Changes detected:" | |
| git diff --name-only | |
| fi | |
| - name: Handle Dependabot PR - commit lock files | |
| if: steps.git-check.outputs.changed == 'true' && github.actor == 'dependabot[bot]' | |
| env: | |
| PUSH_REF: ${{ github.head_ref }} | |
| run: | | |
| git config --local user.email "action@github.com" | |
| git config --local user.name "GitHub Action" | |
| # Add only .terraform.lock.hcl files | |
| git add '**/.terraform.lock.hcl' | |
| # Check if there are staged changes | |
| if git diff --cached --quiet; then | |
| echo "No .terraform.lock.hcl files to commit" | |
| else | |
| git commit -m "Update provider lock files" | |
| # Push using the PAT token configured in checkout | |
| git push origin HEAD:"${PUSH_REF}" | |
| fi | |
| - name: Check for uncommitted changes (Dependabot PR) | |
| if: github.actor == 'dependabot[bot]' | |
| run: | | |
| # After committing lock files, check if there are still any changes | |
| if ! git diff --quiet || ! git diff --cached --quiet; then | |
| echo "Error: There are still uncommitted changes after processing lock files:" | |
| git status --porcelain | |
| echo "" | |
| echo "Changed files:" | |
| git diff --name-only | |
| if git diff --cached --quiet; then | |
| echo "No staged changes" | |
| else | |
| echo "Staged changes:" | |
| git diff --cached --name-only | |
| fi | |
| echo "" | |
| echo "This suggests there are changes beyond just .terraform.lock.hcl files that need attention." | |
| exit 1 | |
| else | |
| echo "All changes have been properly handled" | |
| fi | |
| - name: Check for missing lock updates (Non-Dependabot PR) | |
| if: steps.git-check.outputs.changed == 'true' && github.actor != 'dependabot[bot]' | |
| env: | |
| COMMENT_MARKER: "<!-- provider-locks: missing updates -->" | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| echo "Error: Provider lock files are out of date!" | |
| echo "" | |
| echo "You have modified infra/shared/versions.tf but the corresponding .terraform.lock.hcl files" | |
| echo "have not been updated. Please run the following command locally and commit the changes:" | |
| echo "" | |
| echo " ./infra/scripts/upgrade_tf_version.sh --lock-only" | |
| echo "" | |
| echo "Changed files detected:" | |
| git status --porcelain | |
| echo "" | |
| git diff --name-only | |
| # Leave a comment on the PR | |
| cat <<EOF > "${{runner.temp}}/pr-comment.md" | |
| > [!CAUTION] | |
| > **Provider lock files are out of date!** | |
| > | |
| > You have modified \`infra/shared/versions.tf\` but the corresponding \`.terraform.lock.hcl\` files | |
| > have not been updated. Please run the following command locally and commit the changes: | |
| > | |
| > \`\`\`bash | |
| > ./infra/scripts/upgrade_tf_version.sh --lock-only | |
| > \`\`\` | |
| ${COMMENT_MARKER} | |
| EOF | |
| # Remove any existing comments from this workflow | |
| # shellcheck disable=SC2016 # $ENV is not a shell variable | |
| old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and (.body | endswith($ENV.COMMENT_MARKER + "\n")))) | .[].id') | |
| for comment_id in $old_comment_ids; do | |
| gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}" | |
| done | |
| gh pr comment "${{github.event.pull_request.html_url}}" --body-file "${{runner.temp}}/pr-comment.md" | |
| exit 1 | |
| - name: Comment on Dependabot PR success | |
| if: steps.git-check.outputs.changed == 'true' && github.actor == 'dependabot[bot]' | |
| env: | |
| COMMENT_MARKER: "<!-- provider-locks: dependabot updated -->" | |
| GH_TOKEN: ${{ github.token }} | |
| HEAD_REF: ${{ github.head_ref }} | |
| run: | | |
| # Leave a comment on the PR | |
| cat <<EOF > "${{runner.temp}}/pr-comment.md" | |
| > [!NOTE] | |
| > **Provider lock files have been automatically updated** | |
| > | |
| > This Dependabot PR modified \`infra/shared/versions.tf\`, so the corresponding | |
| > \`.terraform.lock.hcl\` files have been automatically updated and committed. | |
| > | |
| > The changes are ready for review and merge. | |
| > [!IMPORTANT] | |
| > The actions have not been run on this PR since the lock files were updated, because GHA won't run \`push\` actions when the commit has been made by a bot. | |
| > To get the CI checks to run, you will need to amend the PR: | |
| > 1. Check out the PR branch locally: \`git checkout ${HEAD_REF}\` | |
| > 2. Pull the latest changes: \`git pull\` | |
| > 3. Make a no-op amendment: \`git commit --amend --no-edit\` | |
| > 4. Push the amended commit: \`git push --force-with-lease\` | |
| > | |
| > This will trigger the CI checks to run with the updated lock files. | |
| > [!WARNING] | |
| > If dependabot has attempted to modify the PR (i.e. if there are new dependency updates available), comment \`@dependabot recreate\` and it'll recreate the PR from scratch (allowing the lock files to be updated correctly). | |
| ${COMMENT_MARKER} | |
| EOF | |
| # Remove any existing comments from this workflow | |
| # shellcheck disable=SC2016 # $ENV is not a shell variable | |
| old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and (.body | endswith($ENV.COMMENT_MARKER + "\n")))) | .[].id') | |
| for comment_id in $old_comment_ids; do | |
| gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}" | |
| done | |
| gh pr comment "${{github.event.pull_request.html_url}}" --body-file "${{runner.temp}}/pr-comment.md" | |
| - name: Remove stale comments when no changes needed | |
| if: steps.git-check.outputs.changed == 'false' | |
| env: | |
| COMMENT_MARKER_MISSING: "<!-- provider-locks: missing updates -->" | |
| COMMENT_MARKER_DEPENDABOT: "<!-- provider-locks: dependabot updated -->" | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| # Remove any existing comments from this workflow since no changes are needed | |
| # shellcheck disable=SC2016 # $ENV is not a shell variable | |
| old_comment_ids=$(gh api "repos/{owner}/{repo}/issues/${{github.event.pull_request.number}}/comments" --jq 'map(select((.user.login == "github-actions[bot]") and ((.body | endswith($ENV.COMMENT_MARKER_MISSING + "\n")) or (.body | endswith($ENV.COMMENT_MARKER_DEPENDABOT + "\n"))))) | .[].id') | |
| for comment_id in $old_comment_ids; do | |
| echo "Removing stale comment: $comment_id" | |
| gh api -X DELETE "repos/{owner}/{repo}/issues/comments/${comment_id}" | |
| done | |
| echo "No provider lock updates needed - removed any stale comments" |