bump-version #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This workflow is called by the start release workflow to bump this | |
# repo's semgrep version to the newly release version; triggered by | |
# the start-release workflow. | |
jobs: | |
bump-version: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
contents: write | |
pull-requests: write | |
checks: write | |
env: | |
NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }} | |
steps: | |
- id: jwt | |
env: | |
EXPIRATION: 600 | |
ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }} | |
PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }} | |
name: Get JWT for semgrep-ci GitHub App | |
uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest | |
- id: token | |
name: Get token for semgrep-ci GitHub App | |
run: | | |
TOKEN="$(curl -X POST \ | |
-H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \ | |
-H "Accept: application/vnd.github.v3+json" \ | |
"https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \ | |
jq -r .token)" | |
echo "::add-mask::$TOKEN" | |
echo "token=$TOKEN" >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v4 | |
with: | |
token: ${{ steps.token.outputs.token }} | |
- name: Bump version in this repo | |
run: scripts/bump-version.sh "${NEW_SEMGREP_VERSION}" | |
- name: Commit and push | |
id: commit | |
env: | |
BRANCH: "gha/bump-version-${{ github.event.inputs.version }}-${{ github.run_id }}-${{ github.run_attempt }}" | |
SUBJECT: "Bump setup to ${{ github.event.inputs.version }}" | |
run: | | |
git config user.name ${{ github.actor }} | |
git config user.email ${{ github.actor }}@users.noreply.github.com | |
git checkout -b $BRANCH | |
git commit -am "$SUBJECT" | |
git tag "v${NEW_SEMGREP_VERSION}" HEAD | |
git remote -vv | |
git push --set-upstream origin $BRANCH | |
git push origin tag "v$NEW_SEMGREP_VERSION" | |
echo "branch=$BRANCH" >> $GITHUB_OUTPUT | |
echo "subject=$SUBJECT" >> $GITHUB_OUTPUT | |
- name: Create PR | |
id: open-pr | |
env: | |
SOURCE: "${{ steps.commit.outputs.branch }}" | |
TARGET: "${{ github.event.repository.default_branch }}" | |
TITLE: "chore: update pre-commit to semgrep ${{ inputs.version }}" | |
GITHUB_TOKEN: ${{ steps.token.outputs.token }} | |
VERSION: "${{ inputs.version }}" | |
run: | | |
# check if the branch already has a pull request open | |
if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then | |
# pull request already open | |
echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open"; | |
echo "cancelling release" | |
exit 1 | |
fi | |
# open new pull request with the body of from the local template. | |
res=$(gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${VERSION}" \ | |
--base "${TARGET}" --head "${SOURCE}") | |
name: bump-version | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: "Version of semgrep to use" | |
required: true | |
type: string |