MethodicConfigurator/.github/workflows/dependabot-apt-update.yml at 19c7516f72846c6e496a90be92b3da37c1dd3148 · ArduPilot/MethodicConfigurator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Check apt dependencies for updates

on:
  schedule:
    - cron: '0 0 * * 0'  # Run weekly on Sunday at midnight
  workflow_dispatch:  # Allow manual triggering

permissions:
  contents: read

jobs:
  check-apt-updates:
    runs-on: ubuntu-latest
    permissions:
      issues: write
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Check for apt package updates
        id: check-updates
        run: |
          # Create a list of all pinned apt packages from github workflow files
          # Exclude the current workflow file and ensure package names are not empty
          grep -r "apt-get install" .github/workflows/ --exclude="dependabot-apt-update.yml" | grep -o "[a-zA-Z0-9_.:\+~-]\+=[a-zA-Z0-9_.:\+~-]\+" > pinned_apt_packages.txt

          # Create report file header
          echo "# Apt Package Update Report" > apt_update_report.md
          echo "Generated on $(date)" >> apt_update_report.md
          echo "" >> apt_update_report.md

          if [ -s pinned_apt_packages.txt ]; then
            echo "Checking these pinned apt packages for updates:"
            cat pinned_apt_packages.txt

            echo "## Pinned Packages" >> apt_update_report.md
            echo "" >> apt_update_report.md
            echo "| Package | Current Version | Latest Version | Update Available |" >> apt_update_report.md
            echo "|---------|----------------|---------------|-----------------|" >> apt_update_report.md

            # Update apt database
            sudo apt-get update

            updates_available=false

            # Check each package for available updates
            while read package; do
              pkg_name=${package%=*}
              current_version=${package#*=}

              # Skip empty package names
              if [ -z "$pkg_name" ]; then
                continue
              fi

              available_version=$(apt-cache policy $pkg_name | grep Candidate | awk '{print $2}')

              echo "Package: $pkg_name"
              echo "  Current pinned version: $current_version"
              echo "  Latest available version: $available_version"
              echo ""

              if [ "$current_version" != "$available_version" ]; then
                update_status="Yes"
                updates_available=true
              else
                update_status="No"
              fi

              echo "| $pkg_name | $current_version | $available_version | $update_status |" >> apt_update_report.md
            done < pinned_apt_packages.txt

            echo "" >> apt_update_report.md
            if [ "$updates_available" = true ]; then
              echo "## Action Required" >> apt_update_report.md
              echo "Please update the pinned versions in the workflow files to the latest available versions." >> apt_update_report.md
              echo "updates_available=true" >> $GITHUB_OUTPUT
              echo "Check complete. Manual update required for outdated packages."
            else
              echo "## No Action Required" >> apt_update_report.md
              echo "All pinned packages are up to date." >> apt_update_report.md
              echo "updates_available=false" >> $GITHUB_OUTPUT
              echo "Check complete. No manual update required."
            fi

          else
            echo "No pinned apt packages found in workflow files."
            echo "## No Pinned Packages Found" >> apt_update_report.md
            echo "No pinned apt packages were found in the workflow files." >> apt_update_report.md
            echo "updates_available=false" >> $GITHUB_OUTPUT
          fi

      - name: Handle issue creation/update
        if: steps.check-updates.outputs.updates_available == 'true'
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          script: |
            const fs = require('fs');
            const content = fs.readFileSync('./apt_update_report.md', 'utf8');

            // Check if issue already exists by searching for it
            const existingIssues = await github.rest.issues.listForRepo({
              owner: context.repo.owner,
              repo: context.repo.repo,
              labels: 'dependencies,apt',
              state: 'open'
            });

            const existingIssue = existingIssues.data.find(issue =>
              issue.title === 'Outdated apt packages in workflows'
            );

            if (existingIssue) {
              // Update existing issue
              await github.rest.issues.update({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: existingIssue.number,
                body: content
              });
              console.log(`Updated existing issue #${existingIssue.number}`);
            } else {
              // Create new issue
              await github.rest.issues.create({
                owner: context.repo.owner,
                repo: context.repo.repo,
                title: 'Outdated apt packages in workflows',
                body: content,
                labels: ['dependencies', 'apt']
              });
              console.log('Created new issue for outdated packages');
            }