Deny rubygems-update
injection
#1020
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Lock Dependency | |
# TODO: Make this job mandatory | |
# TODO: Make this on workflow_dispatch | |
on: | |
# Limitation about `paths` types: | |
# > https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#git-diff-comparisons | |
push: | |
branches-ignore: | |
- master | |
- release | |
- '*-stable' | |
pull_request: | |
# Run this job when a PR is opened, covering the scenario where branch is ready and pushed before PR is opened. | |
types: | |
- opened | |
# TODO: Improve concurrency between push event and pull_request event | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
pr: | |
name: Pull Request attached | |
runs-on: ubuntu-latest | |
outputs: | |
pr_found: ${{ steps.pr.outputs.pr_found }} | |
pr_base_ref: ${{ steps.pr.outputs.pr.base.ref }} | |
steps: | |
# Limitation with pull_request trigger: https://github.com/8BitJonny/gh-get-current-pr/tree/3.0.0/?tab=readme-ov-file#limitations | |
- uses: 8BitJonny/[email protected] | |
id: pr | |
with: | |
filterOutClosed: true # Don't trigger on commits with closed PRs, including merges into `master`. | |
dependency: | |
name: Depenedency changes | |
needs: pr | |
if: ${{ needs.pr.outputs.pr_found == 'true' }} | |
runs-on: ubuntu-latest | |
outputs: | |
changes: ${{ steps.changes.outputs.dependencies }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: dorny/paths-filter@v3 | |
id: changes | |
with: | |
# This is the best effort to get the diff comparison. | |
# The result remains time-sensitive since the `base` is constantly changing and | |
# the PR cannot be guaranteed to be up-to-date. | |
# | |
# Unless enable `Require branches to be up to date before merging` in the repository rule settings | |
base: ${{ needs.pr.outputs.pr_base_ref }} | |
filters: .github/dependency_filters.yml | |
lock: | |
runs-on: ubuntu-latest | |
needs: dependency | |
if: ${{ needs.dependency.outputs.changes == 'true' }} | |
strategy: | |
fail-fast: false | |
matrix: | |
engine: | |
# ADD NEW RUBIES HERE | |
- name: ruby | |
version: '3.4' | |
- name: ruby | |
version: '3.3' | |
- name: ruby | |
version: '3.2' | |
- name: ruby | |
version: '3.1' | |
- name: ruby | |
version: '3.0' | |
- name: ruby | |
version: '2.7' | |
- name: ruby | |
version: '2.6' | |
- name: ruby | |
version: '2.5' | |
- name: jruby | |
version: '9.4' | |
- name: jruby | |
version: '9.3' | |
- name: jruby | |
version: '9.2' | |
container: | |
image: ghcr.io/datadog/images-rb/engines/${{ matrix.engine.name }}:${{ matrix.engine.version }} | |
env: | |
BUNDLE_WITHOUT: check | |
steps: | |
- uses: actions/checkout@v4 | |
- run: | | |
ruby -v | |
gem -v | |
bundler -v | |
- run: bundle install | |
# TODO: Migrate away from `appraisal` | |
- run: bundle exec appraisal generate | |
- run: bundle exec rake dependency:lock | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: lock-dependency-${{ github.run_id }}-${{ matrix.engine.name }}-${{ matrix.engine.version }} | |
path: gemfiles/${{ matrix.engine.name }}_${{ matrix.engine.version }}* | |
retention-days: 1 | |
# TODO: Change token to trigger workflow automation | |
# > New commit by GITHUB_TOKEN does not trigger workflow automation to prevent infinite loop | |
commit: | |
name: Commit changes | |
needs: lock | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
token: ${{ secrets.GHA_PAT }} | |
- uses: actions/download-artifact@v4 | |
with: | |
path: gemfiles | |
pattern: lock-dependency-${{ github.run_id }}-* | |
merge-multiple: true | |
- uses: stefanzweifel/git-auto-commit-action@v5 | |
with: | |
file_pattern: 'gemfiles/*' | |
commit_message: "[🤖] Lock Dependency: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" |