Skip to content
This repository has been archived by the owner on Apr 9, 2024. It is now read-only.

bump-version

bump-version #80

Workflow file for this run

name: bump-version
on:
workflow_dispatch:
inputs:
version:
description: "Version of semgrep to use"
required: true
type: string
jobs:
bump-version:
runs-on: ubuntu-20.04
permissions:
id-token: write
contents: write
pull-requests: write
checks: write
env:
NEW_SEMGREP_VERSION: ${{ github.event.inputs.version }}
ACTOR: ${{ github.actor }}
RUN_ID: ${{ github.run_id }}
RUN_ATTEMPT: ${{ github.run_attempt }}
steps:
- name: Get JWT for semgrep-ci GitHub App
id: jwt
uses: docker://public.ecr.aws/y9k7q4m1/devops/cicd:latest
env:
EXPIRATION: 600 # seconds
ISSUER: ${{ secrets.SEMGREP_CI_APP_ID }} # semgrep-ci GitHub App id
PRIVATE_KEY: ${{ secrets.SEMGREP_CI_APP_KEY }}
- name: Get token for semgrep-ci GitHub App
id: token
run: |
TOKEN="$(curl -X POST \
-H "Authorization: Bearer ${{ steps.jwt.outputs.jwt }}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/app/installations/${{ secrets.SEMGREP_CI_APP_INSTALLATION_ID }}/access_tokens" | \
jq -r .token)"
echo "::add-mask::$TOKEN"
echo "token=$TOKEN" >> $GITHUB_OUTPUT
- uses: actions/checkout@v3
with:
submodules: true
ref: "${{ github.event.repository.default_branch }}"
token: ${{ steps.token.outputs.token }}
- name: Setup Python
uses: actions/setup-python@v2
with:
python-version: "3.9"
- name: Bump semgrep version
run: |
scripts/bump-version "$NEW_SEMGREP_VERSION"
- name: Commit and push
id: commit
run: |
git config user.name ${ACTOR}
git config user.email ${ACTOR}@users.noreply.github.com
BRANCH="gha/bump-version-${NEW_SEMGREP_VERSION}-${RUN_ID}-${RUN_ATTEMPT}"
SUBJECT="Bump semgrep to ${NEW_SEMGREP_VERSION}"
git checkout -b $BRANCH
git add .
git commit -m "$SUBJECT"
git push --set-upstream origin $BRANCH
echo "branch=$BRANCH" >> $GITHUB_OUTPUT
echo "subject=$SUBJECT" >> $GITHUB_OUTPUT
- name: Create PR
id: open-pr
env:
SOURCE: "${{ steps.commit.outputs.branch }}"
TARGET: "${{ github.event.repository.default_branch }}"
TITLE: "chore: Release Version ${{ inputs.version }}"
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
run: |
# check if the branch already has a pull request open
if gh pr list --head ${SOURCE} | grep -vq "no pull requests"; then
# pull request already open
echo "pull request from SOURCE ${SOURCE} to TARGET ${TARGET} is already open";
echo "cancelling release"
exit 1
fi
# open new pull request with the body of from the local template.
gh pr create --title "${TITLE}" --body "Bump Semgrep Version to ${NEW_SEMGREP_VERSION}" \
--base "${TARGET}" --head "${SOURCE}"