mirror of
https://github.com/rosenpass/rosenpass.git
synced 2025-12-18 13:24:38 +03:00
fix(CI+dependabot): adapt the supply-chain workflow for cargo-vet to work with dependabot, i.e. regenerating exemptions for dependabot and restart the CI afterwards
This commit is contained in:
David Niehues
63
.github/workflows/supply-chain.yml
vendored
63
.github/workflows/supply-chain.yml
vendored
@@ -28,6 +28,10 @@ jobs:
|
|||||||
~/.cargo/registry/cache/
|
~/.cargo/registry/cache/
|
||||||
~/.cache/cargo-supply-chain/
|
~/.cache/cargo-supply-chain/
|
||||||
key: cargo-supply-chain-cache
|
key: cargo-supply-chain-cache
|
||||||
|
- name: Install nightly toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
|
||||||
|
run: |
|
||||||
|
rustup toolchain install nightly
|
||||||
|
rustup override set nightly
|
||||||
- uses: actions/cache@v4
|
- uses: actions/cache@v4
|
||||||
with:
|
with:
|
||||||
path: ${{ runner.tool_cache }}/cargo-supply-chain
|
path: ${{ runner.tool_cache }}/cargo-supply-chain
|
||||||
@@ -50,6 +54,8 @@ jobs:
|
|||||||
contents: write
|
contents: write
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
token: ${{ secrets.CI_BOT_PAT }}
|
||||||
- uses: actions/cache@v4
|
- uses: actions/cache@v4
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
@@ -57,10 +63,10 @@ jobs:
|
|||||||
~/.cargo/registry/index/
|
~/.cargo/registry/index/
|
||||||
~/.cargo/registry/cache/
|
~/.cargo/registry/cache/
|
||||||
key: cargo-vet-cache
|
key: cargo-vet-cache
|
||||||
- name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
|
- name: Install nightly toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
|
||||||
run: |
|
run: |
|
||||||
rustup toolchain install stable
|
rustup toolchain install nightly
|
||||||
rustup default stable
|
rustup override set nightly
|
||||||
- uses: actions/cache@v4
|
- uses: actions/cache@v4
|
||||||
with:
|
with:
|
||||||
path: ${{ runner.tool_cache }}/cargo-vet
|
path: ${{ runner.tool_cache }}/cargo-vet
|
||||||
@@ -69,23 +75,48 @@ jobs:
|
|||||||
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
|
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
|
||||||
- name: Ensure that the tool cache is populated with the cargo-vet binary
|
- name: Ensure that the tool cache is populated with the cargo-vet binary
|
||||||
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
|
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
|
||||||
- name: Regenerate vet exemptions for dependabot PRs
|
- name: Check if last commit was by Dependabot
|
||||||
if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
|
|
||||||
run: cargo vet regenerate exemptions
|
|
||||||
- name: Check for changes in case of dependabot PR
|
|
||||||
if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
|
|
||||||
run: git diff --exit-code || echo "Changes detected, committing..."
|
|
||||||
- name: Commit and push changes for dependabot PRs
|
|
||||||
if: success() && github.actor == 'dependabot[bot]'
|
|
||||||
run: |
|
run: |
|
||||||
git fetch origin ${{ github.head_ref }}
|
git fetch origin ${{ github.head_ref }}
|
||||||
git switch ${{ github.head_ref }}
|
git switch ${{ github.head_ref }}
|
||||||
git config --global user.name "github-actions[bot]"
|
COMMIT_AUTHOR=$(gh api repos/${{ github.repository }}/commits/${{ github.sha }} --jq .author.login)
|
||||||
git config --global user.email "github-actions@github.com"
|
if [[ "$COMMIT_AUTHOR" == "dependabot[bot]" ]]; then
|
||||||
git add supply-chain/*
|
echo "The last commit was made by dependabot"
|
||||||
git commit -m "Regenerate cargo vet exemptions"
|
IS_DEPENDABOT=true
|
||||||
git push origin ${{ github.head_ref }}
|
else
|
||||||
|
echo "The last commit was not made by dependabot"
|
||||||
|
IS_DEPENDABOT=false
|
||||||
|
fi
|
||||||
|
echo "IS_DEPENDABOT=$IS_DEPENDABOT" >> $GITHUB_ENV
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
- name: Check if the last commit's message ends in "--regenerate-exemptions"
|
||||||
|
run: |
|
||||||
|
# Get commit message
|
||||||
|
COMMIT_MESSAGE=$(git log -1 --pretty=format:"%s")
|
||||||
|
if [[ "$COMMIT_MESSAGE" == *"--regenerate-exemptions" ]]; then
|
||||||
|
echo "The last commit message ends in --regenerate-exemptions"
|
||||||
|
REGEN_EXEMP=true
|
||||||
|
else
|
||||||
|
echo "The last commit message does not end in --regenerate-exemptions"
|
||||||
|
REGEN_EXEMP=false
|
||||||
|
fi
|
||||||
|
echo "REGEN_EXEMP=$REGEN_EXEMP" >> $GITHUB_ENV
|
||||||
|
- name: Regenerate vet exemptions for dependabot PRs
|
||||||
|
if: github.actor == 'dependabot[bot]' && (env.IS_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true') # Run only for Dependabot PRs or if specifically requested
|
||||||
|
run: cargo vet regenerate exemptions
|
||||||
|
- name: Check for changes in case of dependabot PR
|
||||||
|
if: github.actor == 'dependabot[bot]' && (env.IS_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true') # Run only for Dependabot PRs or if specifically requested
|
||||||
|
run: git diff --exit-code || echo "Changes detected, committing..."
|
||||||
|
- name: Commit and push changes for dependabot PRs
|
||||||
|
if: success() && github.actor == 'dependabot[bot]' && (env.IS_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true')
|
||||||
|
uses: stefanzweifel/git-auto-commit-action@v5
|
||||||
|
with:
|
||||||
|
commit_message: Regenerate cargo vet exemptions
|
||||||
|
commit_user_name: rosenpass-ci-bot[bot]
|
||||||
|
commit_user_email: noreply@rosenpass.eu
|
||||||
|
commit_author: Rosenpass CI Bot <noreply@rosenpass.eu>
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.CI_BOT_PAT }}
|
||||||
- name: Invoke cargo-vet
|
- name: Invoke cargo-vet
|
||||||
run: cargo vet --locked
|
run: cargo vet --locked
|
||||||
|
|||||||
Reference in New Issue
Block a user