Run proto-all on protos (#1923) #43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Third Party Proto Registry | |
# Protobuf runs buf (https://buf.build/) push updated proto files to https://buf.build/provenance-io | |
# This workflow pushes the third party protos to buf.build whenever any of them are updated in `main`. | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- "third_party/**.proto" | |
- ".github/workflows/proto-registry.yml" | |
workflow_dispatch: | |
# Concurrency is not defined in here because this job usually doesn't run | |
# long enough to need cancelling, and it's okay for it to run multiple times. | |
# Provenance publishes Protobuf content (including third_party dependencies) to buf.build. | |
# Because of third_party dependencies declared in buf.yml, a buf.lock will be generated | |
# containing the dependency manifest. Among other things, the buf.lock contains the | |
# latest buf.build commit hash of the third_party library in the https://buf.build/provenance-io. | |
# When new files are added to the third_party library we need: | |
# 1. publish the third_party library | |
# 2. update buf.lock to point to the new commit hash | |
# 3. sign and create a PR to commit buf.lock changes back to main | |
# This helps avoid a buf push failure due to a new third party proto reference. | |
jobs: | |
push_third_party: | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Buf setup action | |
uses: bufbuild/[email protected] | |
- name: Buf push 'third_party/proto' | |
uses: bufbuild/buf-push-action@v1 | |
with: | |
input: 'third_party/proto' | |
buf_token: ${{ secrets.BUF_TOKEN }} | |
- name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@v6 | |
with: | |
# Use a key associated with the provenanceio-bot github account. | |
gpg_private_key: ${{ secrets.BOT_GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.BOT_GPG_PRIVATE_KEY_PW }} | |
git_user_signingkey: true | |
git_commit_gpgsign: true | |
- name: Update buf.lock | |
run: | | |
cd proto | |
buf mod update | |
cd .. | |
git add . | |
git commit -S -m "Update buf.lock to latest commit hash" | |
- name: Create Pull Request | |
id: cpr | |
uses: peter-evans/[email protected] | |
with: | |
base: main | |
branch: provenanceio-bot/patch-buf-lock | |
delete-branch: true | |
# GitHub Personal Access Token (from the same account where the GPG key is stored) | |
# When this expires, you'll need to log into the provenanceio-bot github account, | |
# regenerate a new one, and update the secret to have the new value. | |
token: ${{ secrets.BOT_CPR_PAT }} | |
committer: ${{ steps.import_gpg.outputs.name }} <${{ steps.import_gpg.outputs.email }}> | |
author: ${{ steps.import_gpg.outputs.name }} <${{ steps.import_gpg.outputs.email }}> | |
signoff: true | |
title: 'Update buf.lock' | |
body: | | |
Updates `third_party/proto/buf.lock` with latest commit hash. | |
- Auto-generated by [create-pull-request][1] | |
[1]: https://github.com/peter-evans/create-pull-request | |
- name: Check outputs | |
if: ${{ steps.cpr.outputs.pull-request-number }} | |
run: | | |
echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" | |
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" |