feat(ci): go list check versions available for untagged dependencies #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Dependency Check | |
on: | |
pull_request: | |
paths: | |
- 'go.mod' | |
- 'go.sum' | |
- '.github/workflows/dependency-check.yml' | |
jobs: | |
dependency-check: | |
runs-on: ubuntu-latest | |
name: Dependency Check | |
env: | |
V0_PATTERN: 'v0\.0\.0-[0-9]{14}-[0-9a-f]{7,}$' | |
RELEASE_PATTERN: 'v[0-9]+\.[0-9]+\.[0-9]+(\+incompatible)?$' | |
IGNORE_PATTERN: 'dependency-check-ignore:\s' | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: 'recursive' | |
- uses: ./.github/actions/install-go | |
- name: Extract dependencies | |
id: all | |
run: | | |
echo "dependencies<<EOF" >> $GITHUB_OUTPUT | |
# Extract all dependencies from go.mod (include indirect dependencies and comments) | |
sed -n '/require (/,/)/{/require (/!{/)/!p;};}' go.mod | sed 's/^[[:space:]]*//' | tee -a $GITHUB_OUTPUT | |
echo "EOF" >> $GITHUB_OUTPUT | |
- name: Extract unreleased dependencies | |
id: unreleased | |
env: | |
DEPENDENCIES: ${{ steps.all.outputs.dependencies }} | |
run: | | |
echo "dependencies<<EOF" >> $GITHUB_OUTPUT | |
# Strip '// indirect' so we all dependencies the same | |
sed 's/\/\/\s*indirect//' <<< "$DEPENDENCIES" | grep -Pv "$V0_PATTERN|$RELEASE_PATTERN" | tee -a $GITHUB_OUTPUT | |
echo "EOF" >> $GITHUB_OUTPUT | |
- name: Extract unexplained dependencies | |
id: unexplained | |
env: | |
DEPENDENCIES: ${{ steps.unreleased.outputs.dependencies }} | |
run: | | |
echo "dependencies<<EOF" >> $GITHUB_OUTPUT | |
grep -Pv "$IGNORE_PATTERN" <<< "$DEPENDENCIES" | tee -a $GITHUB_OUTPUT | |
echo "EOF" >> $GITHUB_OUTPUT | |
- name: Check v0.0.0 dependencies for available tags | |
id: v0check | |
run: | | |
echo "tagged<<EOF" >> $GITHUB_OUTPUT | |
# Only check direct dependencies - exclude indirect ones entirely | |
grep -P "$V0_PATTERN" go.mod | grep -Pv "$IGNORE_PATTERN" | grep -Pv "\/\/\s*indirect/" | while read -r line; do | |
dep=$(echo "$line" | cut -d' ' -f1) | |
if [ ! -z "$(go list -m -versions $dep 2>/dev/null | awk 'NF>1')" ]; then | |
echo "$dep" | |
fi | |
done | tee -a $GITHUB_OUTPUT | |
echo "EOF" >> $GITHUB_OUTPUT | |
- name: Set outputs, if any | |
if: steps.unexplained.outputs.dependencies != '' || steps.v0check.outputs.tagged != '' | |
env: | |
MESSAGE: | | |
Dependencies requiring attention found in this PR. Please follow the [dependency management conventions](https://github.com/filecoin-project/lotus/blob/master/CONTRIBUTING.md#dependency-management) | |
${{ steps.unexplained.outputs.dependencies != '' && 'Unreleased dependencies:' || '' }} | |
${{ steps.unexplained.outputs.dependencies }} | |
${{ steps.v0check.outputs.tagged != '' && 'v0.0.0 dependencies with available tags:' || '' }} | |
${{ steps.v0check.outputs.tagged }} | |
run: | | |
echo "::error::${MESSAGE//$'\n'/%0A}" | |
exit 1 |