Merge pull request #9748 from nilo19/feat/auto-bump-module

nilo19 · web-flow · commit 114a3c65b12a · 2025-12-13T23:35:43.000+11:00
feat: auto update go module drifts
diff --git a/.github/workflows/codespell.yaml b/.github/workflows/codespell.yaml
@@ -3,6 +3,7 @@
 # https://github.com/codespell-project/codespell
 name: codespell
 on: 
+  workflow_dispatch:
   push:
     branches: [ master, 'release-**' ]
   pull_request:
diff --git a/.github/workflows/go-mod-consistency.yaml b/.github/workflows/go-mod-consistency.yaml
@@ -1,13 +1,15 @@
 name: Go Module Consistency
 
 on:
+  workflow_dispatch:
   push:
     branches: [ master, 'release-**' ]
   pull_request:
     branches: [ master, 'release-**' ]
 
 permissions:
   contents: read
+  pull-requests: write
 
 jobs:
   go-mod-consistency:
@@ -37,7 +39,7 @@ jobs:
             health-probe-proxy/go.sum
             kubetest2-aks/go.sum
 
-      - name: Run go mod tidy and verify
+      - name: Run go mod tidy, vendor, and verify
         run: |
           set -euo pipefail
           modules=(
@@ -51,14 +53,107 @@ jobs:
             health-probe-proxy
             kubetest2-aks
           )
+          vendor_modules=(
+            .
+          )
           for m in "${modules[@]}"; do
             echo ">> go mod tidy (${m})"
             (cd "${m}" && go mod tidy)
+            if [[ " ${vendor_modules[*]} " == *" ${m} "* ]]; then
+              echo ">> go mod vendor (${m})"
+              (cd "${m}" && go mod vendor)
+            fi
             echo ">> go mod verify (${m})"
             (cd "${m}" && go mod verify)
           done
 
-      - name: Fail on uncommitted changes
+      - name: Detect go module drift
+        id: diff
+        run: |
+          set -euo pipefail
+          status_output="$(git status --porcelain)"
+          if [ -z "${status_output}" ]; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "changed=true" >> "$GITHUB_OUTPUT"
+
+      - name: Write summary
+        if: steps.diff.outputs.changed == 'true'
+        run: |
+          set -euo pipefail
+          {
+            echo "### Go module drift detected"
+            echo ""
+            echo "A maintainer can apply the updates by running:"
+            echo "- Update Go Modules (Manual): https://github.com/${GITHUB_REPOSITORY}/actions/workflows/update-go-mods.yaml"
+            if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
+              echo "- PR: #${{ github.event.pull_request.number }}"
+            fi
+            echo ""
+            echo "Diff summary:"
+            echo '```'
+            git diff --stat
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Notify pull request
+        if: github.event_name == 'pull_request' && steps.diff.outputs.changed == 'true'
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          pr_number="${{ github.event.pull_request.number }}"
+          author="$(jq -r '.pull_request.user.login // empty' "${GITHUB_EVENT_PATH}")"
+          reviewers="$(jq -r '.pull_request.requested_reviewers[].login // empty' "${GITHUB_EVENT_PATH}" | sed 's/^/@/' | paste -sd ' ' -)"
+          teams="$(jq -r '.pull_request.requested_teams[].slug // empty' "${GITHUB_EVENT_PATH}" | sed "s|^|@${GITHUB_REPOSITORY_OWNER}/|" | paste -sd ' ' -)"
+
+          mentions=""
+          if [[ -n "${author}" ]]; then
+            mentions="@${author}"
+          fi
+          if [[ -n "${reviewers}" ]]; then
+            mentions="${mentions} ${reviewers}"
+          fi
+          if [[ -n "${teams}" ]]; then
+            mentions="${mentions} ${teams}"
+          fi
+          mentions="$(printf '%s' "${mentions}" | xargs || true)"
+
+          marker="<!-- go-mod-drift -->"
+          workflow_url="https://github.com/${GITHUB_REPOSITORY}/actions/workflows/update-go-mods.yaml"
+          diffstat="$(git diff --stat)"
+
+          body="$(printf '%s\n' \
+            "${marker}" \
+            "${mentions}" \
+            "" \
+            "Go module files are out of date for this PR (go.mod/go.sum and/or vendor)." \
+            "" \
+            "A maintainer can apply the generated updates by running:" \
+            "- Workflow: ${workflow_url}" \
+            "- Input: pr_number=${pr_number}" \
+            "" \
+            "Note: commits pushed by GitHub Actions using GITHUB_TOKEN don't auto-trigger other push/pull_request workflows, so checks may need to be manually re-run." \
+            "" \
+            "Diff summary:" \
+            "${diffstat}" \
+          )"
+
+          comment_id="$(gh api "repos/${GITHUB_REPOSITORY}/issues/${pr_number}/comments" --paginate | jq -r --arg marker "${marker}" '.[] | select(.user.login=="github-actions[bot]" and (.body | contains($marker))) | .id' | head -n 1)"
+          if [[ -n "${comment_id}" && "${comment_id}" != "null" ]]; then
+            gh api -X PATCH "repos/${GITHUB_REPOSITORY}/issues/comments/${comment_id}" -f body="${body}" >/dev/null
+            exit 0
+          fi
+
+          gh api -X POST "repos/${GITHUB_REPOSITORY}/issues/${pr_number}/comments" -f body="${body}" >/dev/null
+
+      - name: Fail on go module drift
+        if: steps.diff.outputs.changed == 'true'
         run: |
+          set -euo pipefail
+          git status --porcelain
           git diff --stat
-          git diff --quiet
+          exit 1
diff --git a/.github/workflows/update-go-mods.yaml b/.github/workflows/update-go-mods.yaml
@@ -0,0 +1,164 @@
+name: Update Go Modules (Manual)
+
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: Pull request number to update (same-repo PRs only)
+        required: true
+        type: string
+
+permissions:
+  actions: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-go-mods:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Resolve pull request
+        id: pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          pr_number="${{ inputs.pr_number }}"
+
+          pr_json="$(gh api "repos/${GITHUB_REPOSITORY}/pulls/${pr_number}")"
+          head_repo="$(printf '%s' "${pr_json}" | jq -r '.head.repo.full_name')"
+          head_ref="$(printf '%s' "${pr_json}" | jq -r '.head.ref')"
+          head_sha="$(printf '%s' "${pr_json}" | jq -r '.head.sha')"
+
+          echo "head_repo=${head_repo}" >> "$GITHUB_OUTPUT"
+          echo "head_ref=${head_ref}" >> "$GITHUB_OUTPUT"
+          echo "head_sha=${head_sha}" >> "$GITHUB_OUTPUT"
+
+          if [[ "${head_repo}" != "${GITHUB_REPOSITORY}" ]]; then
+            echo "cross_repo=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "cross_repo=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Stop (forked PRs not supported)
+        if: steps.pr.outputs.cross_repo == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          pr_number="${{ inputs.pr_number }}"
+          head_repo="${{ steps.pr.outputs.head_repo }}"
+          gh pr comment "${pr_number}" --repo "${GITHUB_REPOSITORY}" --body \
+            "This PR targets \`${GITHUB_REPOSITORY}\`, but its head branch is in \`${head_repo}\`.\n\nI can't push go.mod/go.sum/vendor updates to forked PR branches.\n\nPlease run \`go mod tidy\` (and \`go mod vendor\` if needed) locally and push the result to the PR branch."
+          exit 1
+
+      - name: Checkout PR branch
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.2.2
+        with:
+          ref: ${{ steps.pr.outputs.head_ref }}
+          fetch-depth: 0
+
+      - name: Setup Go
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        with:
+          go-version-file: go.mod
+          check-latest: true
+          cache-dependency-path: |
+            go.sum
+            tests/go.sum
+            pkg/azclient/go.sum
+            pkg/azclient/cache/go.sum
+            pkg/azclient/configloader/go.sum
+            pkg/azclient/trace/go.sum
+            pkg/azclient/client-gen/go.sum
+            health-probe-proxy/go.sum
+            kubetest2-aks/go.sum
+
+      - name: Run go mod tidy, vendor, and verify
+        run: |
+          set -euo pipefail
+          modules=(
+            .
+            tests
+            pkg/azclient
+            pkg/azclient/cache
+            pkg/azclient/configloader
+            pkg/azclient/trace
+            pkg/azclient/client-gen
+            health-probe-proxy
+            kubetest2-aks
+          )
+          vendor_modules=(
+            .
+          )
+          for m in "${modules[@]}"; do
+            echo ">> go mod tidy (${m})"
+            (cd "${m}" && go mod tidy)
+            if [[ " ${vendor_modules[*]} " == *" ${m} "* ]]; then
+              echo ">> go mod vendor (${m})"
+              (cd "${m}" && go mod vendor)
+            fi
+            echo ">> go mod verify (${m})"
+            (cd "${m}" && go mod verify)
+          done
+
+      - name: Detect changes
+        id: diff
+        run: |
+          set -euo pipefail
+          status_output="$(git status --porcelain)"
+          if [ -z "${status_output}" ]; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          printf '%s\n' "${status_output}"
+          echo "changed=true" >> "$GITHUB_OUTPUT"
+
+      - name: Commit and push go module updates
+        if: steps.diff.outputs.changed == 'true'
+        run: |
+          set -euo pipefail
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config user.name "github-actions[bot]"
+          git add -A
+          git commit -m "chore: tidy go modules"
+          git push origin "HEAD:${{ steps.pr.outputs.head_ref }}"
+
+      - name: Trigger CI workflows (best effort)
+        if: steps.diff.outputs.changed == 'true'
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          ref="${{ steps.pr.outputs.head_ref }}"
+          workflows=(
+            go-mod-consistency.yaml
+            lint.yaml
+            trivy.yaml
+            codespell.yaml
+          )
+          for wf in "${workflows[@]}"; do
+            echo "Dispatching ${wf} on ${ref}"
+            gh workflow run "${wf}" --repo "${GITHUB_REPOSITORY}" --ref "${ref}" || true
+          done
+
+      - name: Comment on pull request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          pr_number="${{ inputs.pr_number }}"
+          if [[ "${{ steps.diff.outputs.changed }}" != "true" ]]; then
+            gh pr comment "${pr_number}" --repo "${GITHUB_REPOSITORY}" --body \
+              "No go.mod/go.sum/vendor updates were needed."
+            exit 0
+          fi
+
+          gh pr comment "${pr_number}" --repo "${GITHUB_REPOSITORY}" --body \
+            "Pushed go.mod/go.sum/vendor updates to \`${{ steps.pr.outputs.head_ref }}\`.\n\nNote: commits pushed by GitHub Actions using \`GITHUB_TOKEN\` don't auto-trigger other \`push\`/ \`pull_request\` workflows. This workflow tries to dispatch common CI workflows; if checks didn't start, run them manually from the **Actions** tab."
