Update locked rpms #71
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update locked rpms | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 8 * * 0" # every sunday at 8am | |
| jobs: | |
| update-rpms: | |
| runs-on: "ubuntu-24.04" | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| token: ${{ secrets.CI_COMMIT_PUSH_PR }} | |
| - name: Assume AWS role to upload Bazel dependencies to S3 | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite | |
| aws-region: eu-central-1 | |
| - name: Setup bazel | |
| uses: ./.github/actions/setup_bazel_nix | |
| - name: Update rpms | |
| run: bazel run //image/mirror:update_packages | |
| - name: Check if there are any changes | |
| id: git-check | |
| run: | | |
| if git diff --quiet; then | |
| echo "commitChanges=false" | tee -a "${GITHUB_OUTPUT}" | |
| else | |
| echo "commitChanges=true" | tee -a "${GITHUB_OUTPUT}" | |
| fi | |
| - name: Create pull request | |
| uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 | |
| with: | |
| branch: "image/automated/update-rpms-${{ github.run_number }}" | |
| base: main | |
| title: "image: update locked rpms" | |
| body: | | |
| :robot: *This is an automated PR.* :robot: | |
| The PR is triggered as part of the scheduled rpm update workflow. | |
| It updates the locked rpm packages that form the Constellation OS images. | |
| commit-message: "image: update locked rpms" | |
| committer: edgelessci <[email protected]> | |
| author: edgelessci <[email protected]> | |
| labels: dependencies | |
| # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work. | |
| token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }} |