Ci/go work/creds #43
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sync go.work on PRs | |
| # Uses the RUN_WORKFLOW_FROM_WORKFLOW secret if available. Otherwise it is | |
| # necessary to reopen a PR to run more workflows. | |
| name: Sync go.work | |
| on: | |
| pull_request_target: | |
| types: [ opened, reopened, synchronize ] | |
| paths: | |
| - '**/go.mod' | |
| - '**/go.sum' | |
| - 'go.work' | |
| permissions: | |
| contents: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref_name }} | |
| cancel-in-progress: true | |
| jobs: | |
| get-token: | |
| # This is only needed if update-sum is run, so it has the same conditions. | |
| # It is a separate step to limit permissions. | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| permissions: | |
| contents: read | |
| id-token: write | |
| outputs: | |
| token: ${{ steps.get-token.outputs.token }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.base_ref }} | |
| - id: get-token | |
| uses: ./.github/actions/get-token | |
| with: | |
| token-secret: ${{ secrets.RUN_WORKFLOW_FROM_WORKFLOW }} | |
| update-sum: | |
| # We only run this for pull requests from the same repository. This is | |
| # important for security reasons, as we use pull_request_target. | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| needs: [ get-token ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: true | |
| ref: ${{ github.head_ref }} | |
| fetch-depth: 3 | |
| token: ${{ needs.get-token.outputs.token || github.token }} | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: package.json | |
| - run: corepack enable | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: package.json | |
| cache: yarn | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.work | |
| cache-dependency-path: '**/go.sum' | |
| - name: Determine go.mod files | |
| id: go-files | |
| run: >- | |
| printf "go-files=%s go.work\n" | |
| "$(git ls-files '**/go.mod' '**/go.sum' | tr '\r\n' ' ')" | |
| >> "$GITHUB_OUTPUT" | |
| - run: yarn install --frozen-lockfile | |
| - run: yarn lint:go:fix | |
| - name: Check for changes | |
| id: changed | |
| run: | | |
| if [ -n "$(git status --porcelain -- $GO_FILES)" ]; then | |
| echo changed=true >> "$GITHUB_OUTPUT" | |
| else | |
| echo changed= >> "$GITHUB_OUTPUT" | |
| fi | |
| env: | |
| GO_FILES: ${{ steps.go-files.outputs.go-files }} | |
| - name: Commit changes | |
| if: steps.changed.outputs.changed | |
| run: >- | |
| git | |
| -c user.name="$GIT_AUTHOR_NAME" | |
| -c user.email="$GIT_AUTHOR_EMAIL" | |
| commit | |
| --message='Update go modules' | |
| --message="Signed-off-by: $GIT_AUTHOR_NAME <$GIT_AUTHOR_EMAIL>" | |
| -- | |
| $GO_FILES | |
| env: | |
| GIT_AUTHOR_NAME: Rancher Desktop Dependency Manager | |
| GIT_AUTHOR_EMAIL: donotuse@rancherdesktop.io | |
| GO_FILES: ${{ steps.go-files.outputs.go-files }} | |
| - name: Push changes | |
| if: steps.changed.outputs.changed | |
| run: | | |
| git show | |
| git push origin ${{ github.head_ref }} |