feat: add setup-safe-chain action and auto-update workflow (#966)

shm11C3 · web-flow · commit 7d22d0a1a4eb · 2025-12-29T03:27:54.000+09:00
diff --git a/.github/actions/setup-node/action.yml b/.github/actions/setup-node/action.yml
@@ -19,17 +19,8 @@ runs:
         node-version: ${{ inputs.node-version }}
         cache: "npm"
 
-    - name: Setup safe-chain (Windows)
-      if: runner.os == 'Windows'
-      shell: pwsh
-      run: |
-        iex (iwr "https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.ps1" -UseBasicParsing)
-
-    - name: Setup safe-chain (Unix)
-      if: runner.os != 'Windows'
-      shell: bash
-      run: |
-        curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
+    - name: Setup safe-chain
+      uses: ./.github/actions/setup-safe-chain
 
     - name: Install dependencies
       if: inputs.install-deps == 'true'
diff --git a/.github/actions/setup-safe-chain/action.yml b/.github/actions/setup-safe-chain/action.yml
@@ -0,0 +1,61 @@
+name: "Setup safe-chain"
+description: "Install pinned safe-chain with caching"
+inputs:
+  safe-chain-version:
+    description: "safe-chain version to install (pinned by default)"
+    required: false
+    default: "1.3.3"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Cache safe-chain (Windows)
+      if: runner.os == 'Windows'
+      uses: actions/cache@v4
+      with:
+        path: ${{ env.USERPROFILE }}\\.safe-chain\\bin
+        key: safe-chain-${{ runner.os }}-${{ runner.arch }}-${{ inputs.safe-chain-version }}
+
+    - name: Cache safe-chain (Unix)
+      if: runner.os != 'Windows'
+      uses: actions/cache@v4
+      with:
+        path: ~/.safe-chain/bin
+        key: safe-chain-${{ runner.os }}-${{ runner.arch }}-${{ inputs.safe-chain-version }}
+
+    - name: Add safe-chain to PATH (Windows)
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: |
+        "$env:USERPROFILE\\.safe-chain\\bin" | Out-File -FilePath $env:GITHUB_PATH -Append -Encoding utf8
+
+    - name: Add safe-chain to PATH (Unix)
+      if: runner.os != 'Windows'
+      shell: bash
+      run: |
+        echo "$HOME/.safe-chain/bin" >> "$GITHUB_PATH"
+
+    - name: Setup safe-chain (Windows)
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: |
+        $ErrorActionPreference = 'Stop'
+
+        $version = '${{ inputs.safe-chain-version }}'
+        $env:SAFE_CHAIN_VERSION = $version
+
+        $installScriptUrl = "https://raw.githubusercontent.com/AikidoSec/safe-chain/$version/install-scripts/install-safe-chain.ps1"
+        $scriptPath = Join-Path $env:RUNNER_TEMP 'install-safe-chain.ps1'
+
+        Invoke-WebRequest -Uri $installScriptUrl -OutFile $scriptPath -UseBasicParsing
+        & $scriptPath -ci
+
+    - name: Setup safe-chain (Unix)
+      if: runner.os != 'Windows'
+      shell: bash
+      env:
+        SAFE_CHAIN_VERSION: ${{ inputs.safe-chain-version }}
+      run: |
+        set -euo pipefail
+
+        curl -fsSL "https://raw.githubusercontent.com/AikidoSec/safe-chain/${{ inputs.safe-chain-version }}/install-scripts/install-safe-chain.sh" | sh -s -- --ci
diff --git a/.github/workflows/auto-update-safe-chain.yml b/.github/workflows/auto-update-safe-chain.yml
@@ -0,0 +1,115 @@
+name: Auto update safe-chain version
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Every Monday 09:30 JST (00:30 UTC)
+    - cron: "30 0 * * 1"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: auto-update-safe-chain
+  cancel-in-progress: true
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/create-github-app-token@v2
+        id: generate-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 1
+
+      - name: Resolve latest safe-chain release tag
+        id: resolve
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        run: |
+          set -euo pipefail
+
+          api_url='https://api.github.com/repos/AikidoSec/safe-chain/releases/latest'
+          latest_tag="$(
+            curl -fsSL \
+              -H "Authorization: Bearer ${GH_TOKEN}" \
+              -H 'Accept: application/vnd.github+json' \
+              -H 'X-GitHub-Api-Version: 2022-11-28' \
+              "$api_url" \
+              | node -e 'let s=""; process.stdin.on("data",c=>s+=c); process.stdin.on("end",()=>{console.log(JSON.parse(s).tag_name)})'
+          )"
+
+          if [ -z "$latest_tag" ]; then
+            echo 'Failed to resolve latest safe-chain tag.' >&2
+            exit 1
+          fi
+
+          echo "latest_tag=$latest_tag" >> "$GITHUB_OUTPUT"
+
+      - name: Update pinned safe-chain version
+        env:
+          LATEST_TAG: ${{ steps.resolve.outputs.latest_tag }}
+        run: |
+          set -euo pipefail
+
+          file='.github/actions/setup-safe-chain/action.yml'
+
+          if ! grep -q '^  safe-chain-version:' "$file"; then
+            echo "Expected 'safe-chain-version' input not found in $file" >&2
+            exit 1
+          fi
+
+          current="$(
+            node -e 'const fs=require("fs"); const y=fs.readFileSync(process.argv[1],"utf8"); const m=y.match(/^\s*safe-chain-version:\n(?:.|\n)*?^\s*default:\s*"([^"]+)"/m); console.log(m?m[1]:"")' "$file"
+          )"
+
+          if [ -z "$current" ]; then
+            echo "Failed to parse current pinned version from $file" >&2
+            exit 1
+          fi
+
+          if [ "$current" = "$LATEST_TAG" ]; then
+            echo "Already up-to-date: $current"
+            exit 0
+          fi
+
+          node -e '
+            const fs=require("fs");
+            const file=process.argv[1];
+            const latest=process.argv[2];
+            const text=fs.readFileSync(file,"utf8");
+            const updated=text.replace(
+              /(\n\s*safe-chain-version:\n(?:.|\n)*?\n\s*default:\s*")([^"]+)("\s*\n)/m,
+              `$1${latest}$3`
+            );
+            if (updated===text) process.exit(2);
+            fs.writeFileSync(file,updated);
+          ' "$file" "$LATEST_TAG"
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          commit-message: "chore(ci): bump safe-chain"
+          title: "chore(ci): bump safe-chain"
+          body: |
+            This PR was created automatically.
+
+            - Updates pinned safe-chain version in `.github/actions/setup-safe-chain/action.yml`
+            - Schedule: weekly
+          branch: chore/auto-safe-chain-bump
+          add-paths: |
+            .github/actions/setup-safe-chain/action.yml
+          delete-branch: true
+          labels: |
+            dependencies
+            automated
+          signoff: false
