From 4d923c1edb1ccd8b34c6d931be545f2b2d46e355 Mon Sep 17 00:00:00 2001 From: Eric Cornelissen Date: Sat, 23 Mar 2024 12:46:03 +0100 Subject: [PATCH] Set up auto-update workflow for gha.sum Create a GitHub Actions workflow that automatically updates the checksums in gha.sum for Pull Requests by Dependabot that update a GitHub Action (leveraging `branches: dependabot/github_actions/**`). This workflow utilizes a bot to be able to push the changes as well as cause the created commit to trigger CI workflows. The secret it utilizes must be configured for Dependabot (go to repository Settings > Secrets and variables > Dependabot). The bot also requires permissions to "Read and write" for the "Repository permissions" category called "Workflows". The `if: ${{ github.actor == 'dependabot[bot]' }}` condition ensures the workflow isn't (re-)run for the commit it creates. Besides avoiding a potential infinite loop, it also avoids an error due to the (Dependabot scoped) secrets not being available. This change introduces two new GitHub Actions dependencies. One is used to generate an access token from a GitHub app The other is used to simplify the creation and pushing of a commit to the Pull Request branch. --- .github/workflows/gha.sum | 2 ++ .github/workflows/ghasum.yml | 38 ++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 .github/workflows/ghasum.yml diff --git a/.github/workflows/gha.sum b/.github/workflows/gha.sum index c4cec28..ae8f9b8 100755 --- a/.github/workflows/gha.sum +++ b/.github/workflows/gha.sum @@ -4,3 +4,5 @@ actions/checkout@v4.1.2 5uAXl352I8XStCYyGTbGN7KcAaq2TyH8pPYNxivPuJo= actions/setup-go@v5.0.0 lSvPPozeojJimtMLZ7cX1J/h8r1i30yGoTYQbst/jA4= github/codeql-action@v3.24.7 lzXmzNy+eVIfpHwZCI3wJmpy6U5VGiIPLmDCjet1oVs= ncipollo/release-action@v1.14.0 +JAIlT/RB99JgfxlDrAcAdBnaKX4y8hyFWnHc4j7tfM= +stefanzweifel/git-auto-commit-action@v5.0.0 t2VeG9180CmZ5/cmxvkFkN6iWoWsOjlaJ2V8rp1HDqY= +tibdex/github-app-token@v2.1.0 ZNSBo6XSE0yxs8IkHEkVtUC9MkEeXTclXpMLl6zAmCs= diff --git a/.github/workflows/ghasum.yml b/.github/workflows/ghasum.yml new file mode 100644 index 0000000..67835cf --- /dev/null +++ b/.github/workflows/ghasum.yml @@ -0,0 +1,38 @@ +name: ghasum +on: + push: + branches: + - dependabot/github_actions/** + +permissions: read-all + +jobs: + update: + name: Update gha.sum + runs-on: ubuntu-22.04 + if: ${{ github.actor == 'dependabot[bot]' }} + permissions: + contents: write # To push a commit + steps: + - name: Create automation token + uses: tibdex/github-app-token@v2.1.0 + id: automation-token + with: + app_id: ${{ secrets.AUTOMATION_APP_ID }} + private_key: ${{ secrets.AUTOMATION_APP_KEY }} + - name: Checkout repository + uses: actions/checkout@v4.1.2 + with: + token: ${{ steps.automation-token.outputs.token }} + - name: Install Go + uses: actions/setup-go@v5.0.0 + with: + go-version-file: go.mod + # NOTE: skip "Verify action checksums" because they might not be up-to-date + - name: Update gha.sum + run: go run ./cmd/ghasum update -force + - name: Commit gha.sum + uses: stefanzweifel/git-auto-commit-action@v5.0.0 + with: + commit_message: Update ghasum checksums + file_pattern: .github/workflows/gha.sum