04 Maintain: Update Workflow Files #144

Workflow file for this run

.github/workflows/update-workflows.yaml at 081d18d

	name: "04 Maintain: Update Workflow Files"
	description: "Update workflow files from the carpentries/sandpaper repository"
	on:
	schedule:
	- cron: '0 0 * * 2'
	workflow_dispatch:
	inputs:
	name:
	description: 'Who triggered this build (enter github username to tag yourself)?'
	required: true
	default: 'weekly run'
	tarball:
	description: 'Absolute URL to the desired sandpaper repo tarball'
	required: false
	default: ''
	clean:
	description: 'Workflow files/file extensions to clean (no wildcards, enter "" for none)'
	required: false
	default: '.yaml'

	jobs:
	update_workflow:
	name: "Update Workflow"
	runs-on: ubuntu-latest
	permissions:
	contents: write
	pull-requests: write
	id-token: write
	steps:
	- name: "Checkout Repository"
	uses: actions/checkout@v4

	- name: "Validate Current Org and Workflow"
	id: validate-org-workflow
	uses: carpentries/actions/validate-org-workflow@main
	with:
	repo: ${{ github.repository }}
	workflow: ${{ github.workflow }}

	- name: Configure AWS credentials via OIDC
	env:
	role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
	aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}
	if: \|
	steps.validate-org-workflow.outputs.is_valid == 'true' &&
	env.role-to-assume != '' &&
	env.aws-region != ''
	uses: aws-actions/[email protected]
	with:
	role-to-assume: ${{ env.role-to-assume }}
	aws-region: ${{ env.aws-region }}

	- name: Set PAT from AWS Secrets Manager
	id: set-pat
	env:
	role-to-assume: ${{ secrets.AWS_GH_OIDC_ARN }}
	aws-region: ${{ secrets.AWS_GH_OIDC_REGION }}
	if: \|
	steps.validate-org-workflow.outputs.is_valid == 'true' &&
	env.role-to-assume != '' &&
	env.aws-region != ''
	run: \|
	SECRET=$(aws secretsmanager get-secret-value \
	--secret-id carpentries-bot/github-pat \
	--query SecretString --output text)
	PAT=$(echo "$SECRET" \| jq -r .[])
	echo "::add-mask::$PAT"
	echo "pat=$PAT" >> "$GITHUB_OUTPUT"
	shell: bash

	- name: "Validate token"
	id: validate-token
	uses: carpentries/actions/check-valid-credentials@main
	with:
	token: ${{ steps.set-pat.outputs.pat \|\| secrets.SANDPAPER_WORKFLOW }}

	- name: "No Token Found: Skipping Workflow Update"
	if: ${{ steps.validate-token.outputs.wf == 'false' }}
	run: \|
	echo "❗No valid SANDPAPER_WORKFLOW token or PAT from AWS found, cannot update workflows."

	echo "## ❌ Workflow Update Failed" >> $GITHUB_STEP_SUMMARY
	echo "No valid SANDPAPER_WORKFLOW token or PAT from AWS found, cannot update workflows." >> $GITHUB_STEP_SUMMARY
	shell: bash

	- name: Update Workflows
	id: update
	if: ${{ steps.validate-token.outputs.wf == 'true' }}
	uses: carpentries/actions/update-workflows@main
	with:
	repo: ${{ github.event.inputs.tarball \|\| 'https://carpentries.r-universe.dev' }}
	clean: ${{ github.event.inputs.clean \|\| '.yaml' }}

	- name: Create Pull Request
	id: cpr
	if: \|
	steps.update.outputs.new &&
	steps.validate-token.outputs.wf == 'true'
	uses: carpentries/create-pull-request@main
	with:
	token: ${{ steps.set-pat.outputs.pat \|\| secrets.SANDPAPER_WORKFLOW }}
	delete-branch: true
	branch: "update/workflows"
	commit-message: "[actions] update sandpaper workflow to version ${{ steps.update.outputs.new }}"
	title: "Update Workflows to Version ${{ steps.update.outputs.new }}"
	body: \|
	:robot: This is an automated build

	Update Workflows from sandpaper version ${{ steps.update.outputs.old }} -> ${{ steps.update.outputs.new }}

	- Auto-generated by [create-pull-request][1] on ${{ steps.update.outputs.date }}

	[1]: https://github.com/carpentries/create-pull-request/tree/main
	labels: "type: workflows"
	draft: false

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

04 Maintain: Update Workflow Files #144

Workflow file

04 Maintain: Update Workflow Files #144

Uh oh!

Workflow file for this run