Sync yosef/auto-bump-version from test-pre-commit #2
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: github-actions auto-approve | |
| on: pull_request_target | |
| permissions: | |
| pull-requests: write | |
| contents: write | |
| jobs: | |
| approve-bot: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.actor == 'github-actions' || github.actor == 'semgrep-ci[bot]'}} | |
| steps: | |
| - name: Approve | |
| run: gh pr review --approve "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Watch untill PR checks are done | |
| run: gh pr checks --required --watch "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Merge PR | |
| run: gh pr merge --squash "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Now we switch to semgrep-ci[bot] to actually be able to | |
| # move the tag we created in bump_version.yml from the | |
| # release branch to develop | |
| - id: jwt | |
| env: | |
| EXPIRATION: 600 | |
| ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }} | |
| PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }} | |
| name: Get JWT for semgrep-ci GitHub App | |
| uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest | |
| - id: token | |
| name: Get token for semgrep-ci GitHub App | |
| run: | | |
| TOKEN="$(curl -X POST \ | |
| -H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| "https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \ | |
| jq -r .token)" | |
| echo "::add-mask::$TOKEN" | |
| echo "token=$TOKEN" >> $GITHUB_OUTPUT | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: develop | |
| token: ${{ steps.token.outputs.token }} | |
| - name: Move tag to develop branch | |
| env: | |
| GITHUB_TOKEN: ${{ steps.token.outputs.token }} | |
| run: | | |
| CURR_VERSION=$(grep -o 'version=\"[0-9.]*\"' setup.py | sed "s/version=\"\([0-9.]*\)\"/\1/") | |
| # We tagged the release branch first in bump_version.yml | |
| # to allow tests to pass; now moving it to develop so | |
| # it can be a part of its history | |
| git push --delete origin "v${CURR_VERSION}" | |
| git tag "v${CURR_VERSION}" HEAD | |
| git push origin tag "v${CURR_VERSION}" |