Skip to content

Introduce a script for doing GHA pin bumps #13251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Introduce a script for doing GHA pin bumps #13251

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
194 changes: 194 additions & 0 deletions .github/bin/bump_dependency.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,194 @@
import argparse
import os
import re
import subprocess
import sys
from datetime import datetime


def get_remote_commit_sha(repo_url: str, branch: str) -> str:
output = subprocess.check_output(
["git", "ls-remote", repo_url, f"refs/heads/{branch}"], text=True
)
return output.split("\t")[0]


def get_remote_latest_tag(repo_url: str, tag_pattern: str) -> str:
output = subprocess.check_output(
["git", "ls-remote", "--tags", repo_url], text=True
)
tags = []
for line in output.split("\n"):
if line.strip():
parts = line.split("\t")
if len(parts) == 2:
ref = parts[1]
if ref.startswith("refs/tags/") and not ref.endswith("^{}"):
tag = ref.replace("refs/tags/", "")
if re.match(tag_pattern + "$", tag):
tags.append(tag)

def version_key(tag: str) -> tuple[int, ...]:
version = tag.lstrip("v")
return tuple(map(int, version.split(".")))

return sorted(tags, key=version_key)[-1]


def get_current_version_from_file(file_path: str, pattern: str) -> str:
with open(file_path) as f:
content = f.read()

match = re.search(pattern, content)
return match.group(1)


def update_file_version(
file_path: str, old_pattern: str, new_value: str, comment_pattern: str
) -> None:
with open(file_path) as f:
content = f.read()

new_content = re.sub(old_pattern, new_value, content)

current_date = datetime.now().strftime("%b %d, %Y")
new_content = re.sub(
comment_pattern,
lambda m: m.group(0).split(", as of")[0] + f", as of {current_date}.",
new_content,
)

with open(file_path, "w") as f:
f.write(new_content)


def generate_commit_message(
repo_name: str,
repo_url: str,
old_version: str,
new_version: str,
is_tag: bool,
commit_url_template: str,
diff_url_template: str,
) -> str:
if is_tag:
version_link = (
f"[Tag: {new_version}]({repo_url}/releases/tag/{new_version})"
)
diff_url = diff_url_template.format(
repo_url=repo_url, old_version=old_version, new_version=new_version
)
diff_link = f"[Diff]({diff_url})"
description = "between the previously used tag and the new tag."
else:
commit_url = commit_url_template.format(
repo_url=repo_url, version=new_version
)
version_link = f"[Commit: {new_version}]({commit_url})"
diff_url = diff_url_template.format(
repo_url=repo_url, old_version=old_version, new_version=new_version
)
diff_link = f"[Diff]({diff_url})"
description = (
"between the last commit hash merged to this repository "
"and the new commit."
)

return f"## {repo_name}\n{version_link}\n\n{diff_link} {description}"


def main() -> int:
parser = argparse.ArgumentParser(
description="Bump a single dependency version"
)
parser.add_argument(
"--name", required=True, help="Display name for the dependency"
)
parser.add_argument("--repo-url", required=True, help="Git repository URL")
parser.add_argument(
"--branch", default="main", help="Branch to check (default: main)"
)
parser.add_argument(
"--file-path", required=True, help="File containing current version"
)
parser.add_argument(
"--current-version-pattern",
required=True,
help="Regex to extract current version (group 1)",
)
parser.add_argument(
"--update-pattern", required=True, help="Regex pattern for replacement"
)
parser.add_argument(
"--comment-pattern",
required=True,
help="Regex pattern for comment update",
)
parser.add_argument(
"--tag", action="store_true", help="Check tags instead of commits"
)
parser.add_argument(
"--tag-pattern", default=r"v[0-9\.]*", help="Pattern for tag matching"
)
parser.add_argument(
"--commit-url-template",
default="{repo_url}/commit/{version}",
help="Template for commit URLs",
)
parser.add_argument(
"--diff-url-template",
default="{repo_url}/compare/{old_version}...{new_version}",
help="Template for diff URLs",
)

args = parser.parse_args()

current_version = get_current_version_from_file(
args.file_path, args.current_version_pattern
)

if args.tag:
latest_version = get_remote_latest_tag(args.repo_url, args.tag_pattern)
else:
latest_version = get_remote_commit_sha(args.repo_url, args.branch)

if current_version == latest_version:
print(f"{args.name}: No update needed (current: {current_version})")
with open(os.environ["GITHUB_OUTPUT"], "a") as f:
f.write("HAS_UPDATES=false\n")
return 0

print(
f"{args.name}: Update available "
f"({current_version} -> {latest_version})"
)

replacement = args.update_pattern.replace("{new_version}", latest_version)
update_file_version(
args.file_path,
args.current_version_pattern,
replacement,
args.comment_pattern,
)

commit_msg = generate_commit_message(
args.name,
args.repo_url,
current_version,
latest_version,
args.tag,
args.commit_url_template,
args.diff_url_template,
)

with open(os.environ["GITHUB_OUTPUT"], "a") as f:
f.write("COMMIT_MSG<<EOF\n")
f.write(commit_msg)
f.write("\nEOF\n")
f.write("HAS_UPDATES=true\n")

return 0


if __name__ == "__main__":
sys.exit(main())
103 changes: 38 additions & 65 deletions .github/workflows/boring-open-awslc-bump.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,75 +17,48 @@ jobs:
with:
# Needed so we can push back to the repo
persist-credentials: true
- id: check-sha-boring
- id: bump-boringssl
run: |
SHA=$(git ls-remote https://boringssl.googlesource.com/boringssl refs/heads/main | cut -f1)
LAST_COMMIT=$(grep boringssl .github/workflows/ci.yml | grep TYPE | grep -oE '[a-f0-9]{40}')
if ! grep -q "$SHA" .github/workflows/ci.yml; then
echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT
echo "COMMIT_MSG<<EOF" >> $GITHUB_OUTPUT
echo -e "## BoringSSL\n[Commit: ${SHA}](https://boringssl.googlesource.com/boringssl/+/${SHA})\n\n[Diff](https://boringssl.googlesource.com/boringssl/+/${LAST_COMMIT}..${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
fi
- id: check-sha-openssl
run: |
SHA=$(git ls-remote https://github.com/openssl/openssl refs/heads/master | cut -f1)
LAST_COMMIT=$(grep openssl .github/workflows/ci.yml | grep TYPE | grep -oE '[a-f0-9]{40}')
if ! grep -q "$SHA" .github/workflows/ci.yml; then
echo "COMMIT_SHA=${SHA}" >> $GITHUB_OUTPUT
echo "COMMIT_MSG<<EOF" >> $GITHUB_OUTPUT
echo -e "## OpenSSL\n[Commit: ${SHA}](https://github.com/openssl/openssl/commit/${SHA})\n\n[Diff](https://github.com/openssl/openssl/compare/${LAST_COMMIT}...${SHA}) between the last commit hash merged to this repository and the new commit." >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
fi
- id: check-tag-aws-lc
run: |
# Get the latest tag from AWS-LC repository
LATEST_TAG=$(git ls-remote --tags https://github.com/aws/aws-lc.git | grep -o 'refs/tags/v[0-9\.]*$' | sort -V | tail -1 | sed 's|refs/tags/||')
CURRENT_TAG=$(grep aws-lc .github/workflows/ci.yml | grep VERSION | grep -o 'v[0-9\.]*')
if [ "$LATEST_TAG" != "$CURRENT_TAG" ]; then
echo "NEW_TAG=${LATEST_TAG}" >> $GITHUB_OUTPUT
echo "COMMIT_MSG<<EOF" >> $GITHUB_OUTPUT
echo -e "## AWS-LC\n[Tag: ${LATEST_TAG}](https://github.com/aws/aws-lc/releases/tag/${LATEST_TAG})\n\n[Diff](https://github.com/aws/aws-lc/compare/${CURRENT_TAG}...${LATEST_TAG}) between the previously used tag and the new tag." >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
fi
- name: Update boring
run: |
set -xe
CURRENT_DATE=$(date "+%b %d, %Y")
sed -E -i "s/Latest commit on the BoringSSL main branch.*/Latest commit on the BoringSSL main branch, as of ${CURRENT_DATE}./" .github/workflows/ci.yml
sed -E -i "s/TYPE: \"boringssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"boringssl\", VERSION: \"${COMMIT_SHA}\"/" .github/workflows/ci.yml
git status
if: steps.check-sha-boring.outputs.COMMIT_SHA
env:
COMMIT_SHA: ${{ steps.check-sha-boring.outputs.COMMIT_SHA }}
- name: Update OpenSSL
python3 .github/bin/bump_dependency.py \
--name "BoringSSL" \
--repo-url "https://boringssl.googlesource.com/boringssl" \
--branch "main" \
--file-path ".github/workflows/ci.yml" \
--current-version-pattern 'TYPE: "boringssl", VERSION: "([a-f0-9]{40})"' \
--update-pattern 'TYPE: "boringssl", VERSION: "{new_version}"' \
--comment-pattern 'Latest commit on the BoringSSL main branch.*?\.' \
--commit-url-template "{repo_url}/+/{version}" \
--diff-url-template "{repo_url}/+/{old_version}..{new_version}"
- id: bump-openssl
run: |
set -xe
CURRENT_DATE=$(date "+%b %d, %Y")
sed -E -i "s/Latest commit on the OpenSSL master branch.*/Latest commit on the OpenSSL master branch, as of ${CURRENT_DATE}./" .github/workflows/ci.yml
sed -E -i "s/TYPE: \"openssl\", VERSION: \"[0-9a-f]{40}\"/TYPE: \"openssl\", VERSION: \"${COMMIT_SHA}\"/" .github/workflows/ci.yml
git status
if: steps.check-sha-openssl.outputs.COMMIT_SHA
env:
COMMIT_SHA: ${{ steps.check-sha-openssl.outputs.COMMIT_SHA }}
- name: Update AWS-LC
python3 .github/bin/bump_dependency.py \
--name "OpenSSL" \
--repo-url "https://github.com/openssl/openssl" \
--branch "master" \
--file-path ".github/workflows/ci.yml" \
--current-version-pattern 'TYPE: "openssl", VERSION: "([a-f0-9]{40})"' \
--update-pattern 'TYPE: "openssl", VERSION: "{new_version}"' \
--comment-pattern 'Latest commit on the OpenSSL master branch.*?\.'
- id: bump-awslc
run: |
set -xe
CURRENT_DATE=$(date "+%b %d, %Y")
sed -E -i "s/Latest tag of AWS-LC main branch, as of .*/Latest tag of AWS-LC main branch, as of ${CURRENT_DATE}./" .github/workflows/ci.yml
sed -E -i "s/TYPE: \"aws-lc\", VERSION: \"v[0-9\.]*\"/TYPE: \"aws-lc\", VERSION: \"${NEW_TAG}\"/" .github/workflows/ci.yml
git status
if: steps.check-tag-aws-lc.outputs.NEW_TAG
env:
NEW_TAG: ${{ steps.check-tag-aws-lc.outputs.NEW_TAG }}
python3 .github/bin/bump_dependency.py \
--name "AWS-LC" \
--repo-url "https://github.com/aws/aws-lc" \
--branch "main" \
--file-path ".github/workflows/ci.yml" \
--current-version-pattern 'TYPE: "aws-lc", VERSION: "(v[0-9\.]*)"' \
--update-pattern 'TYPE: "aws-lc", VERSION: "{new_version}"' \
--comment-pattern 'Latest tag of AWS-LC main branch, as of .*?\.' \
--tag \
--tag-pattern 'v[0-9\.]*'
- name: Check for updates
run: git status
- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
id: generate-token
with:
app_id: ${{ secrets.BORINGBOT_APP_ID }}
private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }}
if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA || steps.check-tag-aws-lc.outputs.NEW_TAG
if: steps.bump-boringssl.outputs.HAS_UPDATES == 'true' || steps.bump-openssl.outputs.HAS_UPDATES == 'true' || steps.bump-awslc.outputs.HAS_UPDATES == 'true'
Copy link
Preview

Copilot AI Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The condition should be consistent with line 74. Either both should check for 'true' string or both should use boolean evaluation without explicit string comparison.

Copilot uses AI. Check for mistakes.

- name: Create Pull Request
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
Expand All @@ -94,8 +67,8 @@ jobs:
title: "Bump BoringSSL, OpenSSL, AWS-LC in CI"
author: "pyca-boringbot[bot] <pyca-boringbot[bot][email protected]>"
body: |
${{ steps.check-sha-boring.outputs.COMMIT_MSG }}
${{ steps.check-sha-openssl.outputs.COMMIT_MSG }}
${{ steps.check-tag-aws-lc.outputs.COMMIT_MSG }}
${{ steps.bump-boringssl.outputs.COMMIT_MSG }}
${{ steps.bump-openssl.outputs.COMMIT_MSG }}
${{ steps.bump-awslc.outputs.COMMIT_MSG }}
token: ${{ steps.generate-token.outputs.token }}
if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA || steps.check-tag-aws-lc.outputs.NEW_TAG
if: steps.bump-boringssl.outputs.HAS_UPDATES == 'true' || steps.bump-openssl.outputs.HAS_UPDATES == 'true' || steps.bump-awslc.outputs.HAS_UPDATES == 'true'
Loading
Loading