Update Cargo Dependencies #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Cargo Dependencies | |
| on: | |
| schedule: | |
| # Every Monday at 9am UTC | |
| - cron: '0 9 * * 1' | |
| workflow_dispatch: # Allow manual trigger | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| cargo-update: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Verify opencode submodule pin is published | |
| run: ./scripts/check-opencode-submodule-published.sh | |
| - name: Install Linux system dependencies | |
| run: | | |
| # Required by opencode-broker (libpam-sys links against -lpam). | |
| sudo apt-get update | |
| sudo apt-get install -y libpam0g-dev | |
| - name: Initialize opencode submodule | |
| run: | | |
| git -c url."https://github.com/".insteadOf=git@github.com: submodule update --init --recursive packages/opencode | |
| git submodule status --recursive | |
| - name: Install Rust | |
| uses: dtolnay/rust-toolchain@master | |
| with: | |
| toolchain: "1.89" | |
| - name: Install cargo-audit | |
| run: cargo install cargo-audit --locked | |
| - name: Install just | |
| uses: extractions/setup-just@v3 | |
| - name: Run cargo update, test, and audit | |
| id: update | |
| run: | | |
| set +e | |
| updates_dir="${RUNNER_TEMP}" | |
| update_output_path="${updates_dir}/cargo-update-output.txt" | |
| update_output_plain_path="${updates_dir}/cargo-update-output-plain.txt" | |
| test_output_path="${updates_dir}/cargo-test-output.txt" | |
| test_output_plain_path="${updates_dir}/cargo-test-output-plain.txt" | |
| audit_output_path="${updates_dir}/cargo-audit-output.txt" | |
| audit_output_plain_path="${updates_dir}/cargo-audit-output-plain.txt" | |
| cargo update 2>&1 | tee "${update_output_path}" | |
| sed -E 's/\x1B\[[0-9;]*[A-Za-z]//g' "${update_output_path}" > "${update_output_plain_path}" | |
| if git diff --quiet Cargo.lock; then | |
| echo "updates_available=false" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| echo "updates_available=true" >> $GITHUB_OUTPUT | |
| # Project checks should run via shared just targets. | |
| just ci-test 2>&1 | tee "${test_output_path}" | |
| test_exit=$? | |
| sed -E 's/\x1B\[[0-9;]*[A-Za-z]//g' "${test_output_path}" > "${test_output_plain_path}" | |
| cargo audit 2>&1 | tee "${audit_output_path}" | |
| audit_exit=$? | |
| sed -E 's/\x1B\[[0-9;]*[A-Za-z]//g' "${audit_output_path}" > "${audit_output_plain_path}" | |
| echo "test_exit=${test_exit}" >> $GITHUB_OUTPUT | |
| echo "audit_exit=${audit_exit}" >> $GITHUB_OUTPUT | |
| echo "update_output_plain_path=${update_output_plain_path}" >> $GITHUB_OUTPUT | |
| echo "test_output_plain_path=${test_output_plain_path}" >> $GITHUB_OUTPUT | |
| echo "audit_output_plain_path=${audit_output_plain_path}" >> $GITHUB_OUTPUT | |
| exit 0 | |
| - name: Prepare PR body | |
| if: steps.update.outputs.updates_available == 'true' | |
| id: pr | |
| run: | | |
| body_path="${RUNNER_TEMP}/cargo-update.md" | |
| cat > "${body_path}" << 'HEADER' | |
| ## Cargo dependency updates | |
| This PR was automatically generated by the weekly cargo update workflow. | |
| ### Changes | |
| HEADER | |
| echo '```diff' >> "${body_path}" | |
| git diff -- Cargo.lock >> "${body_path}" | |
| echo '```' >> "${body_path}" | |
| cat >> "${body_path}" << EOF | |
| ### Cargo Update Output | |
| \`\`\` | |
| $(cat "${{ steps.update.outputs.update_output_plain_path }}") | |
| \`\`\` | |
| EOF | |
| test_status="passed" | |
| audit_status="passed" | |
| if [ "${{ steps.update.outputs.test_exit }}" != "0" ]; then | |
| test_status="failed" | |
| fi | |
| if [ "${{ steps.update.outputs.audit_exit }}" != "0" ]; then | |
| audit_status="failed" | |
| fi | |
| cat >> "${body_path}" << EOF | |
| ### Test Result | |
| Status: **${test_status}** | |
| \`\`\` | |
| $(cat "${{ steps.update.outputs.test_output_plain_path }}") | |
| \`\`\` | |
| ### Audit Result | |
| Status: **${audit_status}** | |
| \`\`\` | |
| $(cat "${{ steps.update.outputs.audit_output_plain_path }}") | |
| \`\`\` | |
| EOF | |
| cat >> "${body_path}" << 'FOOTER' | |
| ### Testing | |
| - [ ] CI passed | |
| --- | |
| *Generated by [cargo-updates workflow](https://github.com/${{ github.repository }}/actions/workflows/cargo-updates.yml)* | |
| FOOTER | |
| echo "body_path=${body_path}" >> $GITHUB_OUTPUT | |
| - name: Create Pull Request | |
| if: steps.update.outputs.updates_available == 'true' | |
| uses: peter-evans/create-pull-request@v8 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| title: "chore(deps): cargo update" | |
| body-path: ${{ steps.pr.outputs.body_path }} | |
| branch: cargo-dependency-updates | |
| commit-message: "chore(deps): cargo update" | |
| labels: dependencies,security | |
| delete-branch: true | |
| add-paths: Cargo.lock |