Add plugin-update-check workflow (#21491)

2025-11-03 12:07:54 +00:00 · 2023-06-28 13:57:39 -04:00
parent 282b4a0738
commit 08facd2bb2
1 changed files with 70 additions and 0 deletions
--- a/.github/workflows/plugin-update-check.yml
+++ b/.github/workflows/plugin-update-check.yml
@@ -0,0 +1,70 @@
+on:
+  workflow_dispatch:
+    inputs:
+      repo:
+        type: string
+        description: the plugin repo that is updated (ex. vault-plugin-database-snowflake) - github.com/hashicorp will be prepended
+        required: true
+      sha:
+        type: string
+        description: the hash of the plugin repo commit to use
+        required: true
+
+jobs:
+  plugin-update-check:
+    runs-on: ubuntu-latest
+    env:
+      # In the case of a curl call, the input json will look like:
+      # e.g.,
+      #  {
+      #    "ref": "some-branch",
+      #    "inputs": {
+      #        "sha":"abcdef",
+      #        "repo":"vault-plugin-database-snowflake"
+      #    }
+      #  }
+      COMMIT_SHA: "${{inputs.sha}}"
+      REPO_NAME: "${{inputs.repo}}"
+      BRANCH_NAME: "plugin-update-${{inputs.repo}}-${{inputs.sha}}"
+    steps:
+      - run: echo "would use $COMMIT_SHA of $REPO_NAME"
+        # checkout
+      - uses: actions/checkout@v3 # should be a sha, but eh
+        # activate go
+      - uses: actions/setup-go@v4
+      - name: update plugin
+        run: |
+          go get "github.com/hashicorp/$REPO_NAME@$COMMIT_SHA"
+          go mod tidy
+      - name: detect changes
+        id: changes
+        run: |
+          echo "count=$(git status --porcelain=v1 2>/dev/null | wc -l)" >> "$GITHUB_OUTPUT"
+      - name: commit/push
+        if: steps.changes.outputs.count > 0
+        run: |
+          git config user.name hc-github-team-secure-vault-ecosystem
+          git config user.email hc-github-team-secure-vault-ecosystem@users.noreply.github.com
+          git add .
+          git commit -m "Automated dependency upgrades"
+          git push -f origin ${{ github.ref_name }}:"$BRANCH_NAME"
+      - name: Open pull request if needed
+        if: steps.changes.outputs.count > 0
+        # Only open a PR if the branch is not attached to an existing one
+        run: |
+          PR=$(gh pr list --head "$BRANCH_NAME" --json number -q '.[0].number')
+          # currently unable to set team as reviewer in GHA
+          # see https://github.com/cli/cli/issues/6395
+          reviewers="fairclothjm,kpcraig"
+          if [ -z "$PR" ]; then
+            gh pr create \
+            --head "$BRANCH_NAME" \
+            --title "Automated plugin update check" \
+            --reviewer "$reviewers" \
+            --label "dependencies" \
+            --body "Updates $REPO_NAME to verify vault CI
+            Full log: https://github.com/hashicorp/vault/actions/runs/${{github.run_id}}"
+          else
+            echo "Pull request already exists, won't create a new one."
+            exit 1
+          fi