diff --git a/.github/workflows/protos.yml b/.github/workflows/protos.yml index d950f36..d7e455b 100644 --- a/.github/workflows/protos.yml +++ b/.github/workflows/protos.yml @@ -18,7 +18,7 @@ jobs: steps: # Security hardening for GitHub Actions runner - name: Harden Runner - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 with: egress-policy: audit @@ -36,44 +36,45 @@ jobs: # Install dependencies (needed for ts-proto plugin) - name: Install Dependencies - uses: bahmutov/npm-install@3e063b974f0d209807684aa23e534b3dde517fd9 # v1.11.2 - with: - useLockFile: false + run: yarn install --frozen-lockfile --non-interactive # Setup Buf CLI - will pull proto from buf.build/permifyco/permify - name: Setup Buf - uses: bufbuild/buf-action@8f4a1456a0ab6a1eb80ba68e53832e6fcfacc16c # v1.3.0 - with: - setup_only: true - github_token: ${{ secrets.GITHUB_TOKEN }} + run: | + BUF_VERSION="1.57.0" + curl -sSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION}/buf-Linux-x86_64" -o "${RUNNER_TEMP}/buf" + chmod +x "${RUNNER_TEMP}/buf" + echo "${RUNNER_TEMP}" >> "${GITHUB_PATH}" # Generate TypeScript code from Buf Schema Registry - name: Generate Code with Buf run: yarn buf:generate - # Check if there are any changes - - name: Check for changes - id: verify-changes + - name: Commit changes + id: commitchanges + run: | + echo "commit changes" + scripts/commit-changes.sh "proto-update/permify-latest" + shell: bash + + # Push branch and open or update the PR only if there are changes + - name: Push changes and open PR + if: steps.commitchanges.outputs.changes_made == '1' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - if git diff --quiet; then - echo "has_changes=false" >> $GITHUB_OUTPUT - echo "No changes detected" + BRANCH_NAME="${{ steps.commitchanges.outputs.branch_name }}" + PR_TITLE="chore(proto): update generated SDK with latest Permify definitions" + PR_BODY="Automatically created PR with the latest generated SDK from Permify proto definitions." + + echo "${BRANCH_NAME}" + git push "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}" "${BRANCH_NAME}" + + PR_NUMBER="$(gh pr list --head "${BRANCH_NAME}" --base main --state open --json number --jq '.[0].number')" + + if [ -n "${PR_NUMBER}" ]; then + gh pr edit "${PR_NUMBER}" --title "${PR_TITLE}" --body "${PR_BODY}" else - echo "has_changes=true" >> $GITHUB_OUTPUT - echo "Changes detected, will create PR" + gh pr create --base main --head "${BRANCH_NAME}" --title "${PR_TITLE}" --body "${PR_BODY}" --label dependencies --label automated fi - - # Create Pull Request only if there are changes - - name: Create Pull Request - if: steps.verify-changes.outputs.has_changes == 'true' - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commit-message: "chore(proto): update generated SDK with latest Permify definitions" - title: "chore(proto): update generated SDK with latest Permify definitions" - branch: proto-update/permify-latest - delete-branch: true - base: main - labels: | - dependencies - automated + shell: bash diff --git a/scripts/commit-changes.sh b/scripts/commit-changes.sh new file mode 100755 index 0000000..b01fa43 --- /dev/null +++ b/scripts/commit-changes.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +set -euo pipefail + +branch_name="${1:?branch name is required}" + +if git diff --quiet; then + echo "changes_made=0" >> "${GITHUB_OUTPUT}" + echo "No changes detected" + exit 0 +fi + +git config user.email "github-actions[bot]@users.noreply.github.com" +git config user.name "github-actions[bot]" +git checkout -B "${branch_name}" +git add -A +git commit -m "chore(proto): update generated SDK with latest Permify definitions" + +{ + echo "changes_made=1" + echo "branch_name=${branch_name}" +} >> "${GITHUB_OUTPUT}"