Skip to content

Run proto-all on protos (#1923) #43

Run proto-all on protos (#1923)

Run proto-all on protos (#1923) #43

name: Third Party Proto Registry
# Protobuf runs buf (https://buf.build/) push updated proto files to https://buf.build/provenance-io
# This workflow pushes the third party protos to buf.build whenever any of them are updated in `main`.
on:
push:
branches:
- main
paths:
- "third_party/**.proto"
- ".github/workflows/proto-registry.yml"
workflow_dispatch:
# Concurrency is not defined in here because this job usually doesn't run
# long enough to need cancelling, and it's okay for it to run multiple times.
# Provenance publishes Protobuf content (including third_party dependencies) to buf.build.
# Because of third_party dependencies declared in buf.yml, a buf.lock will be generated
# containing the dependency manifest. Among other things, the buf.lock contains the
# latest buf.build commit hash of the third_party library in the https://buf.build/provenance-io.
# When new files are added to the third_party library we need:
# 1. publish the third_party library
# 2. update buf.lock to point to the new commit hash
# 3. sign and create a PR to commit buf.lock changes back to main
# This helps avoid a buf push failure due to a new third party proto reference.
jobs:
push_third_party:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Buf setup action
uses: bufbuild/[email protected]
- name: Buf push 'third_party/proto'
uses: bufbuild/buf-push-action@v1
with:
input: 'third_party/proto'
buf_token: ${{ secrets.BUF_TOKEN }}
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v6
with:
# Use a key associated with the provenanceio-bot github account.
gpg_private_key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.BOT_GPG_PRIVATE_KEY_PW }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Update buf.lock
run: |
cd proto
buf mod update
cd ..
git add .
git commit -S -m "Update buf.lock to latest commit hash"
- name: Create Pull Request
id: cpr
uses: peter-evans/[email protected]
with:
base: main
branch: provenanceio-bot/patch-buf-lock
delete-branch: true
# GitHub Personal Access Token (from the same account where the GPG key is stored)
# When this expires, you'll need to log into the provenanceio-bot github account,
# regenerate a new one, and update the secret to have the new value.
token: ${{ secrets.BOT_CPR_PAT }}
committer: ${{ steps.import_gpg.outputs.name }} <${{ steps.import_gpg.outputs.email }}>
author: ${{ steps.import_gpg.outputs.name }} <${{ steps.import_gpg.outputs.email }}>
signoff: true
title: 'Update buf.lock'
body: |
Updates `third_party/proto/buf.lock` with latest commit hash.
- Auto-generated by [create-pull-request][1]
[1]: https://github.com/peter-evans/create-pull-request
- name: Check outputs
if: ${{ steps.cpr.outputs.pull-request-number }}
run: |
echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"