Skip to content

Deny rubygems-update injection #1020

Deny rubygems-update injection

Deny rubygems-update injection #1020

Workflow file for this run

name: Lock Dependency
# TODO: Make this job mandatory
# TODO: Make this on workflow_dispatch
on:
# Limitation about `paths` types:
# > https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#git-diff-comparisons
push:
branches-ignore:
- master
- release
- '*-stable'
pull_request:
# Run this job when a PR is opened, covering the scenario where branch is ready and pushed before PR is opened.
types:
- opened
# TODO: Improve concurrency between push event and pull_request event
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
pr:
name: Pull Request attached
runs-on: ubuntu-latest
outputs:
pr_found: ${{ steps.pr.outputs.pr_found }}
pr_base_ref: ${{ steps.pr.outputs.pr.base.ref }}
steps:
# Limitation with pull_request trigger: https://github.com/8BitJonny/gh-get-current-pr/tree/3.0.0/?tab=readme-ov-file#limitations
- uses: 8BitJonny/[email protected]
id: pr
with:
filterOutClosed: true # Don't trigger on commits with closed PRs, including merges into `master`.
dependency:
name: Depenedency changes
needs: pr
if: ${{ needs.pr.outputs.pr_found == 'true' }}
runs-on: ubuntu-latest
outputs:
changes: ${{ steps.changes.outputs.dependencies }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3
id: changes
with:
# This is the best effort to get the diff comparison.
# The result remains time-sensitive since the `base` is constantly changing and
# the PR cannot be guaranteed to be up-to-date.
#
# Unless enable `Require branches to be up to date before merging` in the repository rule settings
base: ${{ needs.pr.outputs.pr_base_ref }}
filters: .github/dependency_filters.yml
lock:
runs-on: ubuntu-latest
needs: dependency
if: ${{ needs.dependency.outputs.changes == 'true' }}
strategy:
fail-fast: false
matrix:
engine:
# ADD NEW RUBIES HERE
- name: ruby
version: '3.4'
- name: ruby
version: '3.3'
- name: ruby
version: '3.2'
- name: ruby
version: '3.1'
- name: ruby
version: '3.0'
- name: ruby
version: '2.7'
- name: ruby
version: '2.6'
- name: ruby
version: '2.5'
- name: jruby
version: '9.4'
- name: jruby
version: '9.3'
- name: jruby
version: '9.2'
container:
image: ghcr.io/datadog/images-rb/engines/${{ matrix.engine.name }}:${{ matrix.engine.version }}
env:
BUNDLE_WITHOUT: check
steps:
- uses: actions/checkout@v4
- run: |
ruby -v
gem -v
bundler -v
- run: bundle install
# TODO: Migrate away from `appraisal`
- run: bundle exec appraisal generate
- run: bundle exec rake dependency:lock
- uses: actions/upload-artifact@v4
with:
name: lock-dependency-${{ github.run_id }}-${{ matrix.engine.name }}-${{ matrix.engine.version }}
path: gemfiles/${{ matrix.engine.name }}_${{ matrix.engine.version }}*
retention-days: 1
# TODO: Change token to trigger workflow automation
# > New commit by GITHUB_TOKEN does not trigger workflow automation to prevent infinite loop
commit:
name: Commit changes
needs: lock
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GHA_PAT }}
- uses: actions/download-artifact@v4
with:
path: gemfiles
pattern: lock-dependency-${{ github.run_id }}-*
merge-multiple: true
- uses: stefanzweifel/git-auto-commit-action@v5
with:
file_pattern: 'gemfiles/*'
commit_message: "[🤖] Lock Dependency: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"