From 20570c199a355913e84b891a6373c7834832f789 Mon Sep 17 00:00:00 2001 From: Thomas Poignant Date: Sun, 12 Oct 2025 19:43:33 +0200 Subject: [PATCH 1/2] ci: Bump version of modules when new module is released Signed-off-by: Thomas Poignant --- .github/workflows/bump-module-dependency.yml | 85 -------------------- .github/workflows/bump-modules.yml | 53 ++++++++++++ .github/workflows/release-please.yml | 22 +++++ 3 files changed, 75 insertions(+), 85 deletions(-) delete mode 100644 .github/workflows/bump-module-dependency.yml create mode 100644 .github/workflows/bump-modules.yml diff --git a/.github/workflows/bump-module-dependency.yml b/.github/workflows/bump-module-dependency.yml deleted file mode 100644 index bc9d6482a0e..00000000000 --- a/.github/workflows/bump-module-dependency.yml +++ /dev/null @@ -1,85 +0,0 @@ -name: bump module dependency -on: - release: - types: [published] - -permissions: read-all - -jobs: - evaluation-module-release: - if: ${{ startsWith(github.event.release.tag_name, 'modules/evaluation') }} - name: check if release is a evaluation module release - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Setup go - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 - with: - go-version-file: modules/evaluation/go.mod - check-latest: true - - - name: Update internal module - run: | - export GOWORK=off - VERSION=${GITHUB_REF#refs/tags/modules/evaluation/} - go get github.com/thomaspoignant/go-feature-flag/modules/evaluation@$VERSION - go mod tidy - go mod vendor - go mod verify - - - name: Create Pull Request to bump module - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 - with: - branch: bump-evaluation-module-${{ github.ref_name }} - title: "chore(dependency): Bump module ${{ github.ref_name }}" - body: | - Automated pull request to bump module ${{ github.ref_name }} - commit-message: "chore(dependency): Bump module ${{ github.ref_name }}" - assignees: thomaspoignant - draft: false - signoff: true - delete-branch: true - base: main - labels: automerge - token: ${{ secrets.PERSONAL_GITHUB_TOKEN }} - - core-module-release: - if: ${{ startsWith(github.event.release.tag_name, 'modules/core') }} - name: check if release is a core module release - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - - name: Setup go - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 - with: - go-version-file: modules/core/go.mod - check-latest: true - - - name: Update internal module - run: | - export GOWORK=off - VERSION=${GITHUB_REF#refs/tags/modules/core/} - go get github.com/thomaspoignant/go-feature-flag/modules/core@$VERSION - go mod tidy - go mod vendor - go mod verify - - - name: Create Pull Request to bump module - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 - with: - branch: bump-core-module-${{ github.ref_name }} - title: "chore(dependency): Bump module ${{ github.ref_name }}" - body: | - Automated pull request to bump module ${{ github.ref_name }} - commit-message: "chore(dependency): Bump module ${{ github.ref_name }}" - assignees: thomaspoignant - draft: false - signoff: true - delete-branch: true - base: main - labels: automerge - token: ${{ secrets.PERSONAL_GITHUB_TOKEN }} diff --git a/.github/workflows/bump-modules.yml b/.github/workflows/bump-modules.yml new file mode 100644 index 00000000000..58acd7929e1 --- /dev/null +++ b/.github/workflows/bump-modules.yml @@ -0,0 +1,53 @@ +# --------------------------------------- +# Bump module dependency is a workflow that bumps the dependency of a module to the latest version. +# This is a reusable workflow and is used by the release-please workflow to bump the dependency of the module to the latest version. +# --------------------------------------- +name: bump module dependency +permissions: + actions: read + contents: read + +on: + workflow_call: + inputs: + modulePath: { type: string, required: true } + version: { type: string, required: true } + +jobs: + bump-module: + name: Bump module dependency ${{ inputs.modulePath }} + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Setup go + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + with: + go-version-file: ${{ inputs.modulePath }}/go.mod + check-latest: true + + - name: Update internal module + run: | + export GOWORK=off + VERSION=${GITHUB_REF#refs/tags/modules/evaluation/} + go get github.com/thomaspoignant/go-feature-flag/${{ inputs.modulePath }}@${{ inputs.version }} + go mod tidy + go mod vendor + go mod verify + + - name: Create Pull Request to bump module + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + with: + branch: bump-module-${{ inputs.modulePath }}-${{ inputs.version }} + title: "chore(dependency): Bump module ${{ inputs.modulePath }} ${{ inputs.version }}" + body: | + Automated pull request to bump module ${{ inputs.modulePath }} ${{ inputs.version }}" + commit-message: "chore(dependency): Bump module ${{ inputs.modulePath }} ${{ inputs.version }}" + assignees: thomaspoignant + draft: false + signoff: true + delete-branch: true + base: main + labels: automerge + token: ${{ secrets.PERSONAL_GITHUB_TOKEN }} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 7dc1e39c8c8..81a46e27a20 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -11,10 +11,32 @@ permissions: jobs: release-please: runs-on: ubuntu-latest + outputs: + module_evaluation_released: ${{ steps.release.outputs['modules/evaluation--release_created'] }} + module_evaluation_version: ${{ steps.release.outputs['modules/evaluation--version'] }} + module_core_released: ${{ steps.release.outputs['modules/core--release_created'] }} + module_core_version: ${{ steps.release.outputs['modules/core--version'] }} steps: - uses: googleapis/release-please-action@c2a5a2bd6a758a0937f1ddb1e8950609867ed15c # v4.3.0 + id: release with: # See: https://github.com/googleapis/release-please token: ${{ secrets.PERSONAL_GITHUB_TOKEN }} config-file: .github/release-please/release-please-config.json manifest-file: .github/release-please/.release-please-manifest.json + + bump-module-evaluation: + if: ${{ needs.release-please.outputs.module_evaluation_released == 'true' }} + uses: ./.github/workflows/bump-modules.yml + needs: release-please + with: + modulePath: module/evaluation + version: ${{ needs.release-please.outputs.module_evaluation_version }} + + bump-module-core: + if: ${{ needs.release-please.outputs.module_core_released == 'true' }} + uses: ./.github/workflows/bump-modules.yml + needs: release-please + with: + modulePath: module/core + version: ${{ needs.release-please.outputs.module_core_version }} \ No newline at end of file From ffffb14196f25552cb829814f89c1b69d530e6f0 Mon Sep 17 00:00:00 2001 From: Thomas Poignant Date: Sun, 12 Oct 2025 19:49:16 +0200 Subject: [PATCH 2/2] fix: avoid injection in inputs Signed-off-by: Thomas Poignant --- .github/workflows/bump-modules.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/bump-modules.yml b/.github/workflows/bump-modules.yml index 58acd7929e1..072867500b3 100644 --- a/.github/workflows/bump-modules.yml +++ b/.github/workflows/bump-modules.yml @@ -28,22 +28,27 @@ jobs: check-latest: true - name: Update internal module + env: + VERSION: ${{ inputs.version }} + MODULE_PATH: ${{ inputs.modulePath }} run: | export GOWORK=off - VERSION=${GITHUB_REF#refs/tags/modules/evaluation/} - go get github.com/thomaspoignant/go-feature-flag/${{ inputs.modulePath }}@${{ inputs.version }} + go get github.com/thomaspoignant/go-feature-flag/${MODULE_PATH}@${VERSION } go mod tidy go mod vendor go mod verify - name: Create Pull Request to bump module uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + env: + VERSION: ${{ inputs.version }} + MODULE_PATH: ${{ inputs.modulePath }} with: - branch: bump-module-${{ inputs.modulePath }}-${{ inputs.version }} - title: "chore(dependency): Bump module ${{ inputs.modulePath }} ${{ inputs.version }}" + branch: bump-module-${MODULE_PATH}-${VERSION} + title: "chore(dependency): Bump module ${MODULE_PATH} ${VERSION}" body: | - Automated pull request to bump module ${{ inputs.modulePath }} ${{ inputs.version }}" - commit-message: "chore(dependency): Bump module ${{ inputs.modulePath }} ${{ inputs.version }}" + Automated pull request to bump module ${MODULE_PATH} ${VERSION} + commit-message: "chore(dependency): Bump module ${MODULE_PATH} ${VERSION}" assignees: thomaspoignant draft: false signoff: true