Set up auto-update workflow for gha.sum

Create a GitHub Actions workflow that automatically updates the checksums in gha.sum for Pull Requests by Dependabot that update a GitHub Action (leveraging `branches: dependabot/github_actions/**`). This workflow utilizes a bot to be able to push the changes as well as cause the created commit to trigger CI workflows. The secret it utilizes must be configured for Dependabot (go to repository Settings > Secrets and variables > Dependabot). The bot also requires permissions to "Read and write" for the "Repository permissions" category called "Workflows". The `if: ${{ github.actor == 'dependabot[bot]' }}` condition ensures the workflow isn't (re-)run for the commit it creates. Besides avoiding a potential infinite loop, it also avoids an error due to the (Dependabot scoped) secrets not being available. This change introduces two new GitHub Actions dependencies. One is used to generate an access token from a GitHub app The other is used to simplify the creation and pushing of a commit to the Pull Request branch.
chains-project · Mar 23, 2024 · 4d923c1 · 4d923c1
1 parent 95b1140
commit 4d923c1
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/.github/workflows/gha.sum b/.github/workflows/gha.sum
@@ -4,3 +4,5 @@ actions/[email protected] 5uAXl352I8XStCYyGTbGN7KcAaq2TyH8pPYNxivPuJo=
 actions/[email protected] lSvPPozeojJimtMLZ7cX1J/h8r1i30yGoTYQbst/jA4=
 github/[email protected] lzXmzNy+eVIfpHwZCI3wJmpy6U5VGiIPLmDCjet1oVs=
 ncipollo/[email protected] +JAIlT/RB99JgfxlDrAcAdBnaKX4y8hyFWnHc4j7tfM=
+stefanzweifel/[email protected] t2VeG9180CmZ5/cmxvkFkN6iWoWsOjlaJ2V8rp1HDqY=
+tibdex/[email protected] ZNSBo6XSE0yxs8IkHEkVtUC9MkEeXTclXpMLl6zAmCs=
diff --git a/.github/workflows/ghasum.yml b/.github/workflows/ghasum.yml
@@ -0,0 +1,38 @@
+name: ghasum
+on:
+  push:
+    branches:
+    - dependabot/github_actions/**
+
+permissions: read-all
+
+jobs:
+  update:
+    name: Update gha.sum
+    runs-on: ubuntu-22.04
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    permissions:
+      contents: write # To push a commit
+    steps:
+    - name: Create automation token
+      uses: tibdex/[email protected]
+      id: automation-token
+      with:
+        app_id: ${{ secrets.AUTOMATION_APP_ID }}
+        private_key: ${{ secrets.AUTOMATION_APP_KEY }}
+    - name: Checkout repository
+      uses: actions/[email protected]
+      with:
+        token: ${{ steps.automation-token.outputs.token }}
+    - name: Install Go
+      uses: actions/[email protected]
+      with:
+        go-version-file: go.mod
+    # NOTE: skip "Verify action checksums" because they might not be up-to-date
+    - name: Update gha.sum
+      run: go run ./cmd/ghasum update -force
+    - name: Commit gha.sum
+      uses: stefanzweifel/[email protected]
+      with:
+        commit_message: Update ghasum checksums
+        file_pattern: .github/workflows/gha.sum