Sync Submodules and Dependencies #257
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync Submodules and Dependencies | |
| # Pulls changes from the main branch of submodules daily at 9:00 UTC and opens a PR. | |
| on: | |
| schedule: | |
| - cron: '0 9 * * *' | |
| workflow_dispatch: | |
| permissions: | |
| # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. | |
| # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings | |
| id-token: write | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| update: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
| with: | |
| submodules: recursive | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| aws-region: ${{ secrets.REGION }} | |
| role-to-assume: ${{ secrets.ROLE }} | |
| role-session-name: sync-submodules-and-deps-session | |
| - name: Update submodules | |
| run: | | |
| git submodule update --remote | |
| - name: Update OS image | |
| run: | | |
| ./.github/bin/update-os-image.sh | |
| - name: Update lima dependencies url | |
| run: | | |
| ./deps/finch-core/bin/update-deps.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }} | |
| - name: Update rootfs | |
| run: | | |
| ./deps/finch-core/bin/update-rootfs.sh -d ${{ secrets.DEPENDENCY_BUCKET_NAME }} | |
| - name: Create PR | |
| uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6.0.2 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| signoff: true | |
| title: 'build(deps): Bump submodules and dependencies' | |
| body: > | |
| Bump for Finch's dependencies. | |
| Currently, this updates values based on artifacts defined in the finch-core repository, | |
| such as: operating system images, and the version of Lima (and it's dependencies), | |
| which are bundled as `lima-and-qemu.macos-*.*.tar.gz` archives. | |
| Since updating the Lima version may also update the default version of the `nerdctl-full` | |
| archive (which contains nerdctl, containerd, buildkit, etc.), this may require a manual | |
| update to | |
| [`e2e/vm/version_test.go`](https://github.com/runfinch/finch/tree/create-pull-request/patch/e2e/vm/version_test.go). | |
| To do so, checkout this PR branch locally, add a new commit to the branch, | |
| and push back to the branch: | |
| ```bash | |
| git fetch --all | |
| git switch create-pull-request/patch | |
| # make changes | |
| git add e2e/vm/version_test.go | |
| git commit -s "update dependency versions in version test" | |
| git push | |
| ``` |