mirror of
https://github.com/containers/podman.git
synced 2026-02-05 06:45:31 +01:00
67c050bb8e
Template expansions are not aware of shell script syntax, and therefore can potentially result in code injection vulnerabilities when used in code contexts: https://docs.zizmor.sh/audits/#template-injection To avoid this, instead use environment variables to safely store the values of the template expansions. Also (in the process of doing the above) added double-quotes around a some instances of variable expansions in shell scripts, which is necessary to avoid unintended shell splitting and globbing. (I didn't see any instances where this was actually likely to result in erroneous behavior, but it's good practice and makes shell scripts more robust.) Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
145 lines
5.1 KiB
YAML
145 lines
5.1 KiB
YAML
name: Update Podman version on Podman.io
|
|
|
|
on:
|
|
release:
|
|
types: [published]
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'Release version to bump on podman.io'
|
|
required: true
|
|
workflow_call:
|
|
inputs:
|
|
version:
|
|
description: 'Release version to bump on podman.io'
|
|
type: string
|
|
required: true
|
|
secrets:
|
|
PODMANBOT_TOKEN:
|
|
required: true
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
bump:
|
|
name: Bump
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
contents: write # to push to a branch
|
|
pull-requests: write # to read and create PRs
|
|
steps:
|
|
- name: Get version
|
|
id: getversion
|
|
env:
|
|
INPUT_VERSION: ${{ inputs.version }}
|
|
TAG_NAME: ${{ github.event.release.tag_name }}
|
|
run: |
|
|
if [[ -z "${INPUT_VERSION}" ]]
|
|
then
|
|
VERSION=${TAG_NAME}
|
|
else
|
|
VERSION=${INPUT_VERSION}
|
|
fi
|
|
|
|
# strip out the prefix v if it's there
|
|
if [[ $VERSION == v* ]]; then
|
|
VERSION="${VERSION:1}"
|
|
fi
|
|
echo "Bump to ${VERSION}"
|
|
|
|
if [[ $VERSION != *-rc* ]] && [[ $VERSION != *-dev ]]; then
|
|
echo "notRC=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "SKIPPING: Version is a RC or a dev, no need to update."
|
|
fi
|
|
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Check open PRs
|
|
if: steps.getversion.outputs.notRC == 'true'
|
|
id: checkpr
|
|
env:
|
|
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
prs=$(gh pr list \
|
|
--repo containers/podman.io \
|
|
--head "bump-podmanv${VERSION}" \
|
|
--state open \
|
|
--json title \
|
|
--jq 'length')
|
|
if ((prs > 0)); then
|
|
echo "SKIPPING: PR already exists to update to v${VERSION}."
|
|
else
|
|
echo "prexists=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- uses: actions/checkout@v6
|
|
if: >-
|
|
steps.getversion.outputs.notRC == 'true' &&
|
|
steps.checkpr.outputs.prexists == 'false'
|
|
with:
|
|
repository: containers/podman.io
|
|
ref: refs/heads/main
|
|
token: ${{ secrets.PODMANBOT_TOKEN }}
|
|
persist-credentials: true
|
|
|
|
- name: Check version
|
|
if: >-
|
|
steps.getversion.outputs.notRC == 'true' &&
|
|
steps.checkpr.outputs.prexists == 'false'
|
|
id: checkversion
|
|
env:
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
# Check if version is actually higher than one on podman.io
|
|
prevversion=`grep -P "(?<=export const LATEST_VERSION = ')(\d.\d.\d)" -o static/data/global.ts`
|
|
echo "Version currently on site: ${prevversion}"
|
|
echo "Version to update to: ${VERSION}"
|
|
# sort -V -C returns 0 if args are ascending version order
|
|
if echo "${prevversion},${VERSION}" | tr ',' '\n' | sort -V -C && [[ "${prevversion}" != "${version}" ]]
|
|
then
|
|
echo "needsUpdate=true" >> $GITHUB_OUTPUT
|
|
echo "This release is a higher version, so we need to update podman.io"
|
|
else
|
|
echo "SKIPPING: This release is not a higher version, no need to update."
|
|
fi
|
|
|
|
- name: Bump version
|
|
if: >-
|
|
steps.getversion.outputs.notRC == 'true' &&
|
|
steps.checkversion.outputs.needsUpdate == 'true' &&
|
|
steps.checkpr.outputs.prexists == 'false'
|
|
env:
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
# Replace the version in static/data/global.ts file
|
|
sed --sandbox -i -e "s/export const LATEST_VERSION = '.*';/export const LATEST_VERSION = '${VERSION}';/g" static/data/global.ts
|
|
echo "Updated file:"
|
|
cat static/data/global.ts
|
|
|
|
- name: Open PR
|
|
if: >-
|
|
steps.getversion.outputs.notRC == 'true' &&
|
|
steps.checkversion.outputs.needsUpdate == 'true' &&
|
|
steps.checkpr.outputs.prexists == 'false'
|
|
env:
|
|
GH_TOKEN: ${{ secrets.PODMANBOT_TOKEN }}
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
# Make committer the user who triggered the action, either through cutting a release or manual trigger
|
|
# GitHub gives everyone a noreply email associated with their account, use that email for the sign-off
|
|
git config --local user.name "${GITHUB_ACTOR}"
|
|
git config --local user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
|
|
bumpbranch="bump-podmanv${VERSION}"
|
|
git checkout -b $bumpbranch
|
|
git add static/data/global.ts
|
|
git commit --signoff -m "Bump Podman to v${VERSION}"
|
|
git remote -v
|
|
git remote add podmanbot https://github.com/podmanbot/podman.io
|
|
git push podmanbot "+$bumpbranch"
|
|
gh pr create \
|
|
--title "Bump Podman to v${VERSION}" \
|
|
--body "Bump Podman to v${VERSION}" \
|
|
--head "podmanbot:$bumpbranch" \
|
|
--base "main" -R "containers/podman.io"
|