logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394
							name: "Update dependencies"
on:
  schedule:
    # Monday, 10AM UTC
    - cron: "0 10 * * 1"

  workflow_dispatch:
    inputs: {}

permissions:
  contents: read

jobs:
  branches:
    name: get branch data
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      branches: ${{ steps.branches.outputs.branches }}

    steps:
      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          ref: ${{ github.event.inputs.ref }}
          persist-credentials: false
      - name: set branches output
        id: branches
        run: echo "branches=[\"main\"]" >> $GITHUB_OUTPUT

  update-dependencies:
    permissions:
      contents: write  # for Git to git push
    runs-on: ubuntu-latest
    needs: branches
    strategy:
      matrix:
        branch: ${{ fromJson(needs.branches.outputs.branches) }}
    steps:
    - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
      with:
        egress-policy: audit

      # we can not use the default GHA token, as it prevents subsequent GHA
      # from running: we can create a PR but the tests won't run :/
    - name: Generate token
      id: generate_token
      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
      env:
        APP_ID: ${{ secrets.APP_ID }}
      with:
        app-id: ${{ env.APP_ID }}
        private-key: ${{ secrets.PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}

    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        token: ${{ steps.generate_token.outputs.token }}
        ref: ${{ matrix.branch }}
        fetch-depth: 0
        persist-credentials: false

    - name: Setup Go
      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
      with:
        go-version-file: go.mod

    - name: create pull request
      env:
        BASE_BRANCH: ${{ matrix.branch }}
        GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
        GH_REPO: ${{ github.repository }}
      run: |
        git config --global user.email "ExternalSecretsOperator@users.noreply.github.com"
        git config --global user.name "External Secrets Operator"
        git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GH_REPO}.git"
        BRANCH=update-deps-$(date "+%s")
        make update-deps || true
        make check-diff || true
        if git diff-index --quiet HEAD --; then
          echo "nothing changed. skipping."
          exit 0;
        fi

        git checkout -b $BRANCH
        git add -A
        git commit -m "update dependencies" -s
        git push origin $BRANCH
        gh pr create -B $BASE_BRANCH -H ${BRANCH} --title 'chore: update dependencies' --body 'Update dependencies'