-
Notifications
You must be signed in to change notification settings - Fork 4
130 lines (118 loc) · 4.88 KB
/
bump_version.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
jobs:
bump-version:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
pull-requests: write
checks: write
env:
NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }}
steps:
- id: jwt
env:
EXPIRATION: 600
ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }}
PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
name: Get JWT for semgrep-ci GitHub App
uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
- id: token
name: Get token for semgrep-ci GitHub App
run: |
TOKEN="$(curl -X POST \
-H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
jq -r .token)"
echo "::add-mask::$TOKEN"
echo "token=$TOKEN" >> $GITHUB_OUTPUT
- uses: actions/checkout@v3
with:
token: ${{ steps.token.outputs.token }}
- name: Bump version in this repo
run: scripts/bump-version.sh "$NEW_SEMGREP_VERSION"
- name: Commit and push
id: commit
env:
BRANCH: "gha/bump-version-${NEW_SEMGREP_VERSION}-${{ github.run_id }}-${{ github.run_attempt }}"
SUBJECT: "Bump semgrep to ${NEW_SEMGREP_VERSION}"
run: |
git config user.name ${{ github.actor }}
git config user.email ${{ github.actor }}@users.noreply.github.com
git checkout -b $BRANCH
git add .
git commit -m "$SUBJECT"
git tag "v$NEW_SEMGREP_VERSION" HEAD
git push --set-upstream origin $BRANCH
echo "branch=$BRANCH" >> $GITHUB_OUTPUT
echo "subject=$SUBJECT" >> $GITHUB_OUTPUT
- name: Create PR
id: open-pr
env:
SOURCE: "${{ steps.commit.outputs.branch }}"
TARGET: "${{ github.event.repository.default_branch }}"
TITLE: "chore: Release Version ${{ inputs.version }}"
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
VERSION: "${{ inputs.version }}"
run: |
# check if the branch already has a pull request open
if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then
# pull request already open
echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open";
echo "cancelling release"
exit 1
fi
# open new pull request with the body of from the local template.
res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \
--base "${TARGET}" --head "${SOURCE}" --reviewer semgrep/cdx)
- name: Approve & Merge PR
run: |
gh pr review --approve ${{ steps.commit.branch }}
gh pr merge --auto --squash ${{ steps.commit.branch }}
- name: bump-yaml
run: scripts/bump-version-yaml.sh "$NEW_SEMGREP_VERSION"
- name: Commit and push
id: commit-yaml
env:
BRANCH: "gha/bump-version-yaml-${NEW_SEMGREP_VERSION}-${{ github.run_id }}-${{ github.run_attempt }}"
SUBJECT: "Bump semgrep to ${NEW_SEMGREP_VERSION}"
run: |
git config user.name ${{ github.actor }}
git config user.email ${{ github.actor }}@users.noreply.github.com
git checkout -b $BRANCH
git add .
git commit -m "$SUBJECT"
git push --set-upstream origin $BRANCH
echo "branch=$BRANCH" >> $GITHUB_OUTPUT
echo "subject=$SUBJECT" >> $GITHUB_OUTPUT
- name: Create PR
id: open-2nd-pr
env:
SOURCE: "${{ steps.commit-yaml.outputs.branch }}"
TARGET: "${{ github.event.repository.default_branch }}"
TITLE: "chore: Release Version ${{ inputs.version }}"
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
VERSION: "${{ inputs.version }}"
run: |
# check if the branch already has a pull request open
if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then
# pull request already open
echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open";
echo "cancelling release"
exit 1
fi
# open new pull request with the body of from the local template.
res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \
--base "${TARGET}" --head "${SOURCE}" --reviewer semgrep/cdx)
- name: Approve & Merge yaml PR
run: |
gh pr review --approve ${{ steps.commit-yaml.branch }}
gh pr merge --auto --squash ${{ steps.commit-yaml.branch }}
name: bump-version
on:
workflow_dispatch:
inputs:
version:
description: "Version of semgrep to use"
required: true
type: string