Sync from upstream #79
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync from upstream | |
| on: | |
| schedule: | |
| # Run every day at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| actions: write | |
| jobs: | |
| sync: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Configure Git | |
| run: | | |
| git config --global user.name "github-actions[bot]" | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| - name: Add upstream remote | |
| run: | | |
| git remote add upstream https://github.com/GoogleContainerTools/kaniko.git || true | |
| git remote set-url upstream https://github.com/GoogleContainerTools/kaniko.git | |
| - name: Check for new tags (before fetch) | |
| id: check_tags | |
| run: | | |
| # Get current tags on origin remote | |
| git ls-remote --tags origin | awk '{print $2}' | sed 's|refs/tags/||' | grep -v '\^{}$' | sort > origin_tags.txt | |
| # Get all tags from upstream remote | |
| git ls-remote --tags upstream | awk '{print $2}' | sed 's|refs/tags/||' | grep -v '\^{}$' | sort > upstream_tags.txt | |
| # Find new tags that exist upstream but not on origin | |
| new_tags=$(comm -13 origin_tags.txt upstream_tags.txt) | |
| if [ -n "$new_tags" ]; then | |
| echo "has_new_tags=true" >> $GITHUB_OUTPUT | |
| echo "new_tags<<EOF" >> $GITHUB_OUTPUT | |
| echo "$new_tags" >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| echo "New tags found:" | |
| echo "$new_tags" | |
| else | |
| echo "has_new_tags=false" >> $GITHUB_OUTPUT | |
| echo "No new tags found" | |
| fi | |
| - name: Fetch upstream | |
| run: | | |
| git fetch upstream --tags | |
| git fetch upstream main | |
| - name: Check for new commits | |
| id: check_commits | |
| run: | | |
| # Get the latest commit from upstream | |
| upstream_commit=$(git rev-parse upstream/main) | |
| # Get the latest commit from our main branch | |
| current_commit=$(git rev-parse origin/main) | |
| echo "upstream_commit=$upstream_commit" >> $GITHUB_OUTPUT | |
| echo "current_commit=$current_commit" >> $GITHUB_OUTPUT | |
| if [ "$upstream_commit" != "$current_commit" ]; then | |
| echo "has_new_commits=true" >> $GITHUB_OUTPUT | |
| echo "New commits found in upstream" | |
| else | |
| echo "has_new_commits=false" >> $GITHUB_OUTPUT | |
| echo "No new commits in upstream" | |
| fi | |
| - name: Sync main branch | |
| if: steps.check_commits.outputs.has_new_commits == 'true' | |
| run: | | |
| git checkout main | |
| git merge upstream/main --ff-only || { | |
| echo "Fast-forward merge failed, attempting rebase" | |
| git rebase upstream/main | |
| } | |
| git push origin main | |
| - name: Sync tags | |
| if: steps.check_tags.outputs.has_new_tags == 'true' | |
| run: | | |
| # Push all new tags to origin | |
| git push origin --tags | |
| - name: Trigger release workflow for new tags | |
| if: steps.check_tags.outputs.has_new_tags == 'true' | |
| run: | | |
| # Get the latest new tag | |
| latest_tag=$(echo "${{ steps.check_tags.outputs.new_tags }}" | tail -n1) | |
| # Trigger the release workflow for the latest tag | |
| curl -X POST \ | |
| -H "Accept: application/vnd.github.v3+json" \ | |
| -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| https://api.github.com/repos/${{ github.repository }}/actions/workflows/release.yaml/dispatches \ | |
| -d "{\"ref\":\"refs/tags/$latest_tag\",\"inputs\":{\"tag\":\"$latest_tag\"}}" |