chore: refactor updatecli execution (#329)

* chore: refactor updatecli execution

Signed-off-by: Olivier Vernin <olivier@vernin.me>

* fix: merge jobs

Signed-off-by: Olivier Vernin <olivier@vernin.me>

---------

Signed-off-by: Olivier Vernin <olivier@vernin.me>

Author: olblak

.github/workflows/updatecli.yaml

@@ -1,51 +1,35 @@
-name: updatecli
+name: Updatecli
 on:
+  release:
   workflow_dispatch:
-  push:
-  pull_request:
   schedule:
-    # * is a special character in YAML so you have to quote this string
-    # Run every hour
-    - cron: '0 * * * *'
+    # Run at 12:00 every Saterday every 14 days
+    - cron: '0 12 */14 * 6'
+
 jobs:
-  updatecli:
-    runs-on: ubuntu-24.04
+  prepare:
+    runs-on: ubuntu-latest
     steps:
       - name: "Checkout"
-        uses: "actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8" # v5.0.0
+        uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3" # v6.0.0
+
       - name: "Setup updatecli"
-        uses: "updatecli/updatecli-action@v2"
-      - name: Set up Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: "updatecli/updatecli-action@5ca36367fadc6ad94d590984fd9c696e783ec635" # v2.96.0
         with:
-          go-version-file: 'go.mod'
-          check-latest: true
-        id: go
-      - name: Install Swagger
-        run: "go install github.com/swaggo/swag/cmd/swag@$SWAGGER_VERSION"
-        env:
-          SWAGGER_VERSION: v1.16.6
-      - name: "Run updatecli in dryrun"
-        run: "updatecli compose diff"
-        env:
-          GITHUB_ACTOR: ${{ github.actor }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
-        id: generate_token
-        if: github.ref == 'refs/heads/main'
+          version: "v0.113.0-rc.1"
+
+      - name: "Set up Go"
+        uses: "actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c" # v6.1.0
         with:
-          app_id: ${{ secrets.UPDATECLIBOT_APP_ID }}
-          private_key: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
-      - name: "Login Udash"
-        if: github.ref == 'refs/heads/main'
-        run: "updatecli udash login --experimental --api-url $UPDATECLI_UDASH_API_URL --oauth-access-token $UPDATECLI_UDASH_ACCESS_TOKEN $UPDATECLI_UDASH_URL"
+          go-version-file: "go.mod"
+        id: go
+
+      - name: "Run updatecli"
+        run: updatecli compose apply --clean-git-branches=true --experimental
         env:
+          UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
+          UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
+          UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}
           UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
           UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
           UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}
-      - name: "Run updatecli"
-        if: github.ref == 'refs/heads/main'
-        run: "updatecli compose apply --experimental"
-        env:
-          GITHUB_ACTOR: ${{ secrets.UPDATECLI_BOT_GITHUB_ACTOR }}
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

.github/workflows/updatecli_test.yaml

@@ -0,0 +1,32 @@
+name: Updatecli Test
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3" # v6.0.0
+
+      - name: "Setup updatecli"
+        uses: "updatecli/updatecli-action@5ca36367fadc6ad94d590984fd9c696e783ec635" # v2.96.0
+        with:
+          version: "v0.113.0-rc.1"
+
+      - name: "Set up Go"
+        uses: "actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c" # v6.1.0
+        with:
+          go-version-file: "go.mod"
+        id: go
+
+      - name: "Test updatecli in dry-run mode"
+        run: "updatecli compose diff"
+        env:
+          # This step is executed in untrusted context. We use a GitHub token with minimal permissions.
+          GITHUB_ACTOR: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/updatecli_update.yaml

@@ -0,0 +1,34 @@
+name: Updatecli - Update
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3" # v6.0.0
+
+      - name: "Setup updatecli"
+        uses: "updatecli/updatecli-action@5ca36367fadc6ad94d590984fd9c696e783ec635" # v2.96.0
+        with:
+          version: "v0.113.0-rc.1"
+
+      - name: "Set up Go"
+        uses: "actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c" # v6.1.0
+        with:
+          go-version-file: "go.mod"
+        id: go
+
+      - name: "Run updatecli only on existing pipelines"
+        run: updatecli compose apply --clean-git-branches=true --existing-only=true --experimental
+        env:
+          UPDATECLI_GITHUB_APP_CLIENT_ID: ${{ secrets.UPDATECLIBOT_APP_ID }}
+          UPDATECLI_GITHUB_APP_PRIVATE_KEY: ${{ secrets.UPDATECLIBOT_APP_PRIVKEY }}
+          UPDATECLI_GITHUB_APP_INSTALLATION_ID: ${{ secrets.UPDATECLIBOT_APP_INSTALLATION_ID }}
+          UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
+          UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
+          UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}

updatecli-compose.yaml

@@ -49,3 +49,8 @@ policies:
     values:
       - updatecli/values.d/scm.yaml
       - updatecli/values.d/githubaction.yaml
+
+  - name: Handle Updatecli version in GitHub action
+    policy: ghcr.io/updatecli/policies/updatecli/githubaction:0.7.0@sha256:a97518f118b03d2f63f45378e1961028b07c23d53db91db892893ff240fa5f4e
+    values:
+      - updatecli/values.d/scm.yaml