chore: refactor Updatecli workflow execution (#41)

Signed-off-by: Olivier Vernin <olivier@vernin.me>

Author: olblak

.github/workflows/updatecli.yaml

@@ -1,34 +1,26 @@
-name: updatecli
+name: Updatecli
 on:
+  release:
   workflow_dispatch:
-  push:
-  pull_request:
   schedule:
-    # * is a special character in YAML so you have to quote this string
-    # Run every hour
-    - cron: '0 * * * *'
+    # Run at 12:00 every Saterday every 14 days
+    - cron: "0 12 */14 * 6"
 jobs:
   updatecli:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@v3"
+        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@v2"
-      - name: "Run updatecli in dryrun"
-        run: "updatecli compose diff"
-        env:
-          GITHUB_ACTOR: ${{ github.actor }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        id: generate_token
-        if: github.ref == 'refs/heads/main'
+        uses: "updatecli/updatecli-action@b846825b298f5351abd80f94c4f9eab63a38a804" # v2.98.0
         with:
-          app-id: ${{ secrets.UPDATECLIBOT_APP_ID }}
-          private-key: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
+          version: "v0.113.0"
       - name: "Run updatecli"
-        if: github.ref == 'refs/heads/main'
-        run: "updatecli compose apply"
+        run: updatecli compose apply --clean-git-branches=true --experimental
         env:
-          GITHUB_ACTOR: ${{ secrets.UPDATECLI_BOT_GITHUB_ACTOR }}
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
+          UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
+          UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}
+          UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
+          UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
+          UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}

.github/workflows/updatecli_test.yaml

@@ -0,0 +1,22 @@
+---
+name: Updatecli Test
+on:
+  pull_request:
+permissions:
+  contents: read
+jobs:
+  updatecli:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+      - name: "Setup updatecli"
+        uses: "updatecli/updatecli-action@b846825b298f5351abd80f94c4f9eab63a38a804" # v2.98.0
+        with:
+          version: "v0.113.0"
+      - name: "Test updatecli in dry-run mode"
+        run: "updatecli compose diff"
+        env:
+          # This step is executed in untrusted context. We use a GitHub token with minimal permissions.
+          GITHUB_ACTOR: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/updatecli_update.yaml

@@ -0,0 +1,29 @@
+---
+name: Updatecli - Update
+on:
+  workflow_dispatch:
+  schedule:
+    # Run daily at 03:00
+    - cron: "0 3 * * *"
+  push:
+    branches:
+      - main
+jobs:
+  updatecli:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8" # v6.0.1
+      - name: "Setup updatecli"
+        uses: "updatecli/updatecli-action@b846825b298f5351abd80f94c4f9eab63a38a804" # v2.98.0
+        with:
+          version: "v0.113.0"
+      - name: "Run updatecli only on existing pipelines"
+        run: updatecli compose apply --clean-git-branches=true --existing-only=true --experimental
+        env:
+          UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
+          UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
+          UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}
+          UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
+          UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
+          UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}

updatecli-compose.yaml

@@ -3,7 +3,14 @@ policies:
     policy: ghcr.io/updatecli/policies/updatecli/autodiscovery:0.7.0@sha256:6890c4b4093a80063f518101881098fab8211c986481641faaf797a9ad5a31c3
     values:
       - updatecli/values.d/scm.yaml
-  - name: Update Helm charts
+
+  - name: Update Helm Charts
     policy: ghcr.io/updatecli/policies/autodiscovery/helm:0.8.0@sha256:2c14bf324ee0a548ec627b607c118fb27c74b72c4a330fc4e1bc35147593553f
     values:
       - updatecli/values.d/scm.yaml
+
+  - name: Update GitHub Actions
+    policy: ghcr.io/updatecli/policies/autodiscovery/githubaction:0.3.0@sha256:3b5425da2a2a2b89bb69463f1294704c33730358c66140efb93cab14b2868b06
+    values:
+      - updatecli/values.d/scm.yaml
+      - updatecli/values.d/githubaction.yaml

updatecli/values.d/githubaction.yaml

@@ -0,0 +1,3 @@
+spec:
+  digest: true
+  rootdir: '.github'