sentry-cocoa/.github/workflows/auto-update-tools.yml at 29a280c2867edad40603f1f9864d4f5d5ce89dde · getsentry/sentry-cocoa · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# This workflow is used to update the custom tooling versions for the project.
#
# We prefer to use Dependabot to update external dependencies, but at this time it does not include Homebrew as a supported package manager (https://docs.github.com/en/code-security/dependabot/ecosystems-supported-by-dependabot/supported-ecosystems-and-repositories).
# Furthermore, neither `swiftlint` nor `clang-format` are listed as dependencies in our repository, therefore also not picked up by Dependabot.
#
# Therefore we are using a custom workflow to update relevant files and open a pull request with the changes.

name: "Automation: Update tooling versions"

on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
  pull_request:

# Permissions configuration:
# - 'contents: write' is required to allow the workflow to commit changes to the repository
#   when updating the tooling version files and creating branches for pull requests.
# - 'pull-requests: write' is required to allow the workflow to create pull requests
#   using the peter-evans/create-pull-request action when tooling version updates are available.
permissions:
  contents: write
  pull-requests: write

# Concurrency configuration:
# - For pull requests, we use a workflow-and-ref–scoped group to keep runs isolated per PR while
#   still cancelling outdated runs on the same PR.
# - For non-PR events (schedule, workflow_dispatch, pushes), we use a fixed global group so only
#   one repository-wide run can execute at a time, preventing race conditions when creating
#   branches and pull requests.
# - We enable cancellation of in-progress runs because only the most recent run matters for
#   version updates. This conserves GitHub Actions minutes and ensures we always work with the
#   latest repository state.
concurrency:
  group: ${{ github.event_name == 'pull_request' && format('{0}-{1}', github.workflow, github.ref) || 'auto-update-tools' }}
  cancel-in-progress: true

jobs:
  # This job detects if the PR contains changes that require running auto-update-tools.
  # If yes, the job will output a flag that will be used by the next job to run the auto-update-tools.
  # If no, the job will output a flag that will be used by the next job to skip running the auto-update-tools.
  # At the end of this workflow, we run a check that validates that either auto_update_tools-required-check passed or were
  # skipped, which is called auto_update_tools-required-check.
  files-changed:
    name: Detect File Changes
    runs-on: ubuntu-latest
    # Map a step output to a job output
    outputs:
      run_auto_update_tools_for_prs: ${{ steps.changes.outputs.run_auto_update_tools_for_prs }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Get changed files
        id: changes
        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          token: ${{ github.token }}
          filters: .github/file-filters.yml

  auto-update-tools:
    if: github.event_name != 'pull_request' || needs.files-changed.outputs.run_auto_update_tools_for_prs == 'true'
    needs: files-changed
    runs-on: macos-15
    steps:
      - name: Generate GitHub App Token
        id: app_token
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        with:
          app-id: ${{ vars.SENTRY_DEPENDENCY_UPDATER_GITHUB_APP_ID }}
          private-key: ${{ secrets.SENTRY_DEPENDENCY_UPDATER_GITHUB_APP_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
      - name: Checkout Repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          token: ${{ steps.app_token.outputs.token }}
      - name: Update Homebrew
        run: brew update

      - name: Install Tools
        run: make init

      - name: Update tooling versions
        run: make update-versions

      - name: Check tooling versions
        run: make check-versions

      - name: Print git status and changes
        run: |
          git status
          git diff HEAD

      - name: Create pull request for clang-format version
        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
        with:
          token: ${{ steps.app_token.outputs.token }}
          add-paths: scripts/.clang-format-version
          branch: github-actions/auto-update-tools-clang-format
          commit-message: "chore(deps): Update clang-format version"
          delete-branch: true
          title: "chore(deps): Update clang-format version"
          sign-commits: true
          base: main

      - name: Create pull request for swiftlint version
        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
        if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
        with:
          token: ${{ steps.app_token.outputs.token }}
          add-paths: scripts/.swiftlint-version
          branch: github-actions/auto-update-tools-swiftlint
          commit-message: "chore(deps): Update swiftlint version"
          delete-branch: true
          title: "chore(deps): Update swiftlint version"
          sign-commits: true
          base: main

      - name: Run CI Diagnostics
        if: failure()
        run: ./scripts/ci-diagnostics.sh

  # This check validates that either auto-update-tools passed or was skipped, which allows us
  # to make auto-update-tools a required check with only running the auto-update-tools when required.
  # So, we don't have to run auto-update-tools, for example, for unrelated changes.
  auto_update_tools-required-check:
    needs: [files-changed, auto-update-tools]
    name: Auto Update Tools
    # This is necessary since a failed/skipped dependent job would cause this job to be skipped
    if: always()
    runs-on: ubuntu-latest
    steps:
      # If any jobs we depend on fails gets cancelled or times out, this job will fail.
      # Skipped jobs are not considered failures.
      - name: Check for failures
        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
        run: |
          echo "One of the auto-update-tools jobs has failed." && exit 1