Create GUI update PR (branch: master) #2073
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Create GUI update PR' | |
| run-name: 'Create GUI update PR (branch: ${{ github.event.workflow_run.head_branch || inputs.branch }})' | |
| # **Note 1**: You can merge a pull request into a release branch of the form “release-$MAJOR.$MINOR” (e.g. “release-2.1”) in order to create the GUI update PR in the matching release branch of the host repository. For this to work, the name of this repository’s release branch must match that of the host repository exactly. | |
| # **Note 2**: Since this workflow can be triggered using the `workflow_run` event type, one needs to pay special attention to the context in which runs will be executed based on this workflow. Most importantly, runs will be using the workflow file found **in the project’s default branch**. This means that context variables like `github.ref` and `github.ref_name` will refer to the default branch **and not the branch that caused the workflow_run event to trigger**. Also, it likely means that to change the behavior of the workflow in a release branch, one will actually have to update the workflow file in the default branch, too. | |
| on: | |
| # Allows running the workflow manually. | |
| workflow_dispatch: | |
| inputs: | |
| branch: | |
| required: true | |
| type: string | |
| description: The base branch for which to create a GUI PR (default or release branch) | |
| sha: | |
| required: true | |
| type: string | |
| description: The commit hash for which to create a GUI PR | |
| workflow_run: | |
| workflows: ['Tests'] | |
| types: [completed] | |
| # See “Filter pattern cheat sheet” https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet | |
| branches: [master, 'release-[0-9]+.[0-9]+'] | |
| permissions: | |
| contents: read # for checking out the repository (e.g. actions/checkout) | |
| # Ensures that we only run one workflow per branch at a time. | |
| # Already running workflows will be cancelled. | |
| concurrency: | |
| cancel-in-progress: true | |
| group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || inputs.branch }} | |
| jobs: | |
| # Creates a pull request in the main application to update its GUI. | |
| create-gui-pr: | |
| timeout-minutes: 10 | |
| # Only runs this job when the triggering workflow run was a success (i.e. the “Tests” workflow passes). | |
| if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success') }} | |
| name: Create GUI update PR | |
| runs-on: ubuntu-latest | |
| env: | |
| SHA: ${{ github.event.workflow_run.head_sha || inputs.sha }} | |
| BRANCH: ${{ github.event.workflow_run.head_branch || inputs.branch }} | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| ref: ${{ env.BRANCH }} | |
| - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version-file: '.nvmrc' | |
| - run: | | |
| make install/sync | |
| - uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 | |
| id: sbom | |
| with: | |
| asset_prefix: kuma-gui | |
| dir: '.' | |
| config: .syft.yaml | |
| fail_build: 'true' # Fail job if critical vulnerabilities are detected | |
| - run: | | |
| make build/sync | |
| - uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3 | |
| id: github-app-token | |
| with: | |
| app-id: ${{ secrets.APP_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| # Access to kuma needs to be explicitly included here so that a pull request can be opened in that repository. | |
| owner: ${{ github.repository_owner }} | |
| repositories: "kuma-gui,kuma" | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| # This needs to be a token that grants read access to `HOST_REPOSITORY`. If that repository is private, it needs general access to the `repo` scope which grants access to read private repositories. Otherwise, you will run into an error telling you that the checkout actions can’t determine the repository’s default branch. This is on account of a lack of access not because it can’t determine the default branch. | |
| token: ${{ steps.github-app-token.outputs.token }} | |
| repository: ${{ vars.HOST_REPOSITORY }} | |
| ref: ${{ env.BRANCH }} | |
| path: main-application | |
| - run: | | |
| cd main-application | |
| echo 'Copying Grype and SBOM reports ...' | |
| mkdir -p ${{ vars.HOST_REPORTS_DIRECTORY }} | |
| rm -f ${{ vars.HOST_REPORTS_DIRECTORY }}/{${{ steps.sbom.outputs.grype-json-report }},${{ steps.sbom.outputs.grype-sarif-report }},${{ steps.sbom.outputs.sbom-spdx-report }},${{ steps.sbom.outputs.sbom-cyclonedx-report }}} | |
| mv \ | |
| ../${{ steps.sbom.outputs.grype-json-report }} \ | |
| ../${{ steps.sbom.outputs.grype-sarif-report }} \ | |
| ../${{ steps.sbom.outputs.sbom-spdx-report }} \ | |
| ../${{ steps.sbom.outputs.sbom-cyclonedx-report }} \ | |
| ${{ vars.HOST_REPORTS_DIRECTORY }} | |
| echo 'Replacing GUI dist files ...' | |
| rm -rf ${{ vars.HOST_DIST_DIRECTORY }} | |
| cp -r ../${{ vars.DIST_DIRECTORY }}/ ${{ vars.HOST_DIST_DIRECTORY }} | |
| # https://github.com/peter-evans/create-pull-request | |
| - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 | |
| with: | |
| # Note: This token can be a GITHUB_TOKEN if the created PR doesn’t need to trigger workflows `on: push` or `on: pull_request`. However, we definitely need to trigger workflows (e.g. to run test workflows on the PR). Instead, we should use a personal access token (PAT). See https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs for a more detailed explanation. | |
| token: ${{ steps.github-app-token.outputs.token }} | |
| path: main-application | |
| base: ${{ env.BRANCH }} | |
| commit-message: | | |
| chore(deps): bump ${{ github.repository }} to ${{ env.SHA }} | |
| Bumps ${{ github.repository }} to version [${{ env.BRANCH }}@${{ env.SHA }}](https://github.com/${{ github.repository }}/tree/${{ env.SHA }}) | |
| committer: GitHub <noreply@github.com> | |
| author: github-actions[bot] <github-actions[bot]@users.noreply.github.com> | |
| team-reviewers: kuma-maintainers | |
| signoff: true | |
| branch: chore/update-gui-in-${{ env.BRANCH }} | |
| delete-branch: true | |
| title: 'chore(deps): bump ${{ github.repository }} to ${{ env.SHA }}' | |
| labels: ci/skip-e2e-test,${{ env.BRANCH }},ci/auto-merge | |
| body: | | |
| Bumps ${{ github.repository }} to version [${{ env.BRANCH }}@${{ env.SHA }}](https://github.com/${{ github.repository }}/tree/${{ env.SHA }}) | |
| > Changelog: chore(deps): use latest ${{ github.repository }} | |
| draft: false |