templates..github.workflows.dependencies_update.yml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of project-keeper-core Show documentation
Show all versions of project-keeper-core Show documentation
Project keeper is a tool that verifies and fixes project setups.
The newest version!
name: Update dependencies
on:
workflow_call:
inputs:
# [impl->dsn~dependency-updater.workflow.vulnerability-info~1]
vulnerability_issues:
description: "GitHub issues for vulnerable dependencies as JSONL"
required: true
type: string
workflow_dispatch:
jobs:
update_dependencies:
runs-on: ubuntu-latest
defaults:
run:
shell: "bash"
permissions:
contents: write # Required for creating new branch
pull-requests: write # Required for creating new pull request
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
steps:
- uses: actions/checkout@v4
id: checkout
with:
fetch-depth: 0
- name: Set up JDKs
id: setup-jdks
uses: actions/setup-java@v4
with:
distribution: "temurin"
java-version: |
11
17
cache: "maven"
- name: Print issues
id: debug-print-issues
run: |
echo "Issues from Action input: $ISSUES"
env:
ISSUES: ${{ inputs.vulnerability_issues }}
- name: Fail if not running on a branch
id: check-branch
if: ${{ !startsWith(github.ref, 'refs/heads/') }}
uses: actions/github-script@v7
with:
script: |
core.setFailed('Not running on a branch, github.ref is ${{ github.ref }}. Please start this workflow only on main or a branch')
- name: Update dependencies
id: update-dependencies
# [impl->dsn~dependency-updater.workflow.start-pk-update~1]
run: |
mvn --batch-mode com.exasol:project-keeper-maven-plugin:update-dependencies --projects . \
-Dproject-keeper:vulnerabilities="$CREATED_ISSUES"
env:
CREATED_ISSUES: ${{ inputs.vulnerability_issues }}
- name: Generate Pull Request comment
id: pr-comment
# [impl->dsn~dependency-updater.workflow.create-pull-request~1]
# [impl->dsn~dependency-updater.workflow.pull-request-trigger-ci-build~1]
run: |
echo 'comment<> "$GITHUB_OUTPUT"
echo 'This Pull Request was created by [`dependencies_update.yml`](https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_update.yml) workflow.' >> "$GITHUB_OUTPUT"
if [ -n "$CREATED_ISSUES" ]; then
echo 'It updates dependencies to fix the following vulnerabilities:' >> "$GITHUB_OUTPUT"
echo $CREATED_ISSUES | jq --raw-output '. | "* Closes " + .issue_url + " (" + .cve + ")"' >> "$GITHUB_OUTPUT"
else
echo 'It updates dependencies.' >> "$GITHUB_OUTPUT"
fi
echo >> "$GITHUB_OUTPUT"
echo '# ⚠️ Notes ⚠️' >> "$GITHUB_OUTPUT"
echo '## Run PK fix manually' >> "$GITHUB_OUTPUT"
echo 'Due to restrictions workflow `dependencies_update.yml` cannot update other workflows, see https://github.com/exasol/project-keeper/issues/578 for details.' >> "$GITHUB_OUTPUT"
echo 'Please checkout this PR locally and run `mvn com.exasol:project-keeper-maven-plugin:fix --projects .`' >> "$GITHUB_OUTPUT"
echo '## This PR does not trigger CI workflows' >> "$GITHUB_OUTPUT"
echo 'Please click the **Close pull request** button and then **Reopen pull request** to trigger running checks.' >> "$GITHUB_OUTPUT"
echo 'See https://github.com/exasol/project-keeper/issues/534 for details.' >> "$GITHUB_OUTPUT"
echo 'EOF' >> "$GITHUB_OUTPUT"
cat "$GITHUB_OUTPUT"
env:
CREATED_ISSUES: ${{ inputs.vulnerability_issues }}
- name: Generate Pull Request Title
id: pr-title
run: |
if [ -n "$CREATED_ISSUES" ]; then
echo "Security issues are available"
echo "title=🔐 Update dependencies to fix vulnerabilities" >> "$GITHUB_OUTPUT"
else
echo "Security issues are not available"
echo "title=Update dependencies" >> "$GITHUB_OUTPUT"
fi
cat "$GITHUB_OUTPUT"
env:
CREATED_ISSUES: ${{ inputs.vulnerability_issues }}
- name: Configure git
id: configure-git
run: |
git config --global user.email "[email protected]"
git config --global user.name "Automatic Dependency Updater"
- name: Create branch
id: create-branch
if: ${{ github.ref == 'refs/heads/main' }}
run: |
branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")"
echo "Creating branch $branch_name"
git checkout -b "$branch_name"
- name: Commit changes & push
id: publish-branch
if: ${{ startsWith(github.ref, 'refs/heads/' ) }}
run: |
branch_name=$(git rev-parse --abbrev-ref HEAD)
echo "Current branch: $branch_name"
echo "git diff --stat"
git diff --stat
echo "git diff --numstat"
git diff --numstat
echo "git diff --name-status"
git diff --name-status
echo "Adding untracked files:"
git add . --verbose --all
echo "Committing changes..."
git commit --message "$TITLE"
echo "Pushing branch $branch_name..."
git push --set-upstream origin "$branch_name"
echo "Done."
env:
TITLE: ${{ steps.pr-title.outputs.title }}
- name: Create pull request
id: create-pr
if: ${{ github.ref == 'refs/heads/main' }}
run: |
pr_url=$(gh pr create --base main --title "$TITLE" --body "$COMMENT")
echo "Created Pull Request: $pr_url"
echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT"
env:
COMMENT: ${{ steps.pr-comment.outputs.comment }}
TITLE: ${{ steps.pr-title.outputs.title }}
GH_TOKEN: ${{ github.token }}
- name: Report failure Status to Slack channel
id: report-failure-slack
# Also run this step in case of failures
if: ${{ always() }}
uses: ravsamhq/notify-slack-action@v2
with:
status: ${{ job.status }}
token: ${{ secrets.GITHUB_TOKEN }}
notification_title: "Dependency check in {repo} has {status_message}"
message_format: "{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>"
notify_when: "failure,cancelled,warnings"
env:
SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }}
- name: Report new Pull Request to Slack channel
id: report-pr-slack
if: ${{ steps.create-pr.outputs.pr_url }}
uses: ravsamhq/notify-slack-action@v2
with:
status: ${{ job.status }}
token: ${{ secrets.GITHUB_TOKEN }}
notification_title: "Dependency update for {repo} created a Pull Request"
message_format: "{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}"
env:
SLACK_WEBHOOK_URL: ${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy