diff --git a/.github/workflows/ci-renovate-rbe.yml b/.github/workflows/ci-renovate-rbe.yml deleted file mode 100644 index 6061011153877..0000000000000 --- a/.github/workflows/ci-renovate-rbe.yml +++ /dev/null @@ -1,79 +0,0 @@ -name: CI - Renovate - RBE - -on: - push: - branches: - - renovate/* - workflow_dispatch: - -permissions: - contents: read - -jobs: - pin: - name: Repin Dependencies - if: github.event.repository.fork == false - uses: ./.github/workflows/bazel.yml - with: - name: Repin Dependencies - run: | - COMMITS="${{ join(github.event.commits.*.message, ' ') }}" - if [[ "$COMMITS" == *"[java]"* ]]; then - RULES_JVM_EXTERNAL_REPIN=1 bazel run @maven//:pin - fi - if [[ "$COMMITS" == *"[rust]"* ]]; then - CARGO_BAZEL_REPIN=true bazel run @crates//:all - fi - if [[ "$COMMITS" == *"[js]"* ]]; then - bazel run -- @pnpm//:pnpm install --dir "$PWD" --lockfile-only - fi - if [[ "$COMMITS" == *"[dotnet]"* ]]; then - ./dotnet/update-deps.sh - fi - if [[ "$COMMITS" == *"[py]"* ]]; then - bazel run //py:requirements.update - fi - if [[ "$COMMITS" == *"[rb]"* ]]; then - ./go rb:pin - fi - artifact-name: repin-changes - - commit-repins: - name: Commit Repins - needs: pin - if: github.event.repository.fork == false - permissions: - contents: write - actions: read - uses: ./.github/workflows/commit-changes.yml - with: - artifact-name: repin-changes - commit-message: "Repin dependencies" - - check-format: - needs: commit-repins - name: Check format - if: github.event.repository.fork == false - uses: ./.github/workflows/bazel.yml - with: - name: Check format script run - caching: false - ruby-version: jruby-10.0.0.0 - run: ./scripts/github-actions/check-format.sh - - test: - name: Test - needs: commit-repins - if: github.event.repository.fork == false - uses: ./.github/workflows/bazel.yml - with: - name: All RBE tests - caching: false - ruby-version: jruby-10.0.0.0 - run: ./scripts/github-actions/ci-build.sh - - ci-gh: - name: CI - GitHub - needs: commit-repins - if: github.event.repository.fork == false - uses: ./.github/workflows/ci.yml diff --git a/.github/workflows/renovate-dependencies.yml b/.github/workflows/renovate-dependencies.yml new file mode 100644 index 0000000000000..636d9ea9e1b02 --- /dev/null +++ b/.github/workflows/renovate-dependencies.yml @@ -0,0 +1,112 @@ +name: Renovate Dependencies + +on: + workflow_dispatch: + inputs: + base-ref: + description: Base branch or ref to update + required: true + default: trunk + type: string + +concurrency: + group: renovate-dependencies + cancel-in-progress: true + +permissions: + actions: read + contents: write + issues: write + pull-requests: write + +jobs: + reset-update-branch: + name: Reset temp/bazel-updates to ${{ inputs.base-ref }} + if: github.event.repository.fork == false + runs-on: ubuntu-latest + steps: + - name: Checkout base ref + uses: actions/checkout@v6 + with: + ref: ${{ inputs.base-ref }} + token: ${{ secrets.SELENIUM_CI_TOKEN || github.token }} + - name: Force-push to temp/bazel-updates + run: git push --force origin "HEAD:temp/bazel-updates" + + prepare-updates: + name: Prepare Bazel updates + needs: reset-update-branch + if: github.event.repository.fork == false + uses: ./.github/workflows/bazel.yml + with: + name: Prepare Bazel updates + ref: ${{ inputs.base-ref }} + caching: false + run: | + ./go all:update + ./go rust:update + artifact-name: bazel-updates + + push-update-branch: + name: Push Bazel update branch + needs: prepare-updates + if: github.event.repository.fork == false + uses: ./.github/workflows/commit-changes.yml + with: + artifact-name: bazel-updates + commit-message: "Update dependencies" + ref: ${{ inputs.base-ref }} + push-branch: temp/bazel-updates + secrets: + SELENIUM_CI_TOKEN: ${{ secrets.SELENIUM_CI_TOKEN }} + + renovate: + name: Renovate dependencies + needs: push-update-branch + if: github.event.repository.fork == false + runs-on: ubuntu-latest + steps: + - name: Checkout update branch + uses: actions/checkout@v6 + with: + ref: temp/bazel-updates + - name: Reset eval branches + run: | + for kind in minor major; do + branch="renovate/${kind}-eval" + if git ls-remote --exit-code --heads origin "$branch" >/dev/null; then + git push origin --delete "$branch" + fi + done + - name: Run Renovate + uses: renovatebot/github-action@v46.1.14 + with: + token: ${{ secrets.SELENIUM_CI_TOKEN || github.token }} + env: + LOG_LEVEL: info + RENOVATE_PLATFORM: github + RENOVATE_REPOSITORIES: ${{ github.repository }} + RENOVATE_FORCE: | + { + "baseBranchPatterns": ["temp/bazel-updates"], + "dependencyDashboard": false, + "dependencyDashboardApproval": false, + "prCreation": "approval", + "pruneStaleBranches": false, + "schedule": null + } + + dependency-pr: + name: ${{ matrix.kind }} dependency PR + needs: renovate + if: always() && github.event.repository.fork == false + strategy: + fail-fast: false + matrix: + kind: [minor, major] + uses: ./.github/workflows/renovate-dependency-pr.yml + with: + base-ref: ${{ inputs.base-ref }} + kind: ${{ matrix.kind }} + secrets: + SELENIUM_CI_TOKEN: ${{ secrets.SELENIUM_CI_TOKEN }} diff --git a/.github/workflows/renovate-dependency-pr.yml b/.github/workflows/renovate-dependency-pr.yml new file mode 100644 index 0000000000000..06ff7601acd28 --- /dev/null +++ b/.github/workflows/renovate-dependency-pr.yml @@ -0,0 +1,111 @@ +name: Renovate Dependency PR + +on: + workflow_call: + inputs: + base-ref: + description: Base branch to target + required: true + type: string + kind: + description: Dependency update type. Must be minor or major. + required: true + type: string + secrets: + SELENIUM_CI_TOKEN: + required: true + +permissions: + actions: read + contents: write + issues: write + pull-requests: write + +jobs: + detect-branch: + name: Detect ${{ inputs.kind }} branch + runs-on: ubuntu-latest + outputs: + exists: ${{ steps.detect.outputs.exists }} + steps: + - name: Detect branch + id: detect + env: + KIND: ${{ inputs.kind }} + REPO_URL: ${{ github.server_url }}/${{ github.repository }}.git + run: | + case "$KIND" in + minor|major) ;; + *) echo "::error::kind must be minor or major"; exit 1 ;; + esac + if git ls-remote --exit-code --heads "$REPO_URL" "renovate/${KIND}-eval" >/dev/null; then + echo "exists=true" >> "$GITHUB_OUTPUT" + else + echo "exists=false" >> "$GITHUB_OUTPUT" + fi + + evaluate: + name: Evaluate ${{ inputs.kind }} dependencies + needs: detect-branch + if: needs.detect-branch.outputs.exists == 'true' + uses: ./.github/workflows/bazel.yml + with: + name: Evaluate ${{ inputs.kind }} dependencies + ref: renovate/${{ inputs.kind }}-eval + ruby-version: jruby-10.1.0.0 + run: | + ./go all:pin + ./go rust:pin + ./go format + ./scripts/github-actions/ci-build.sh + git fetch origin "${{ inputs.base-ref }}" --depth=1 + git add -A + git diff --binary --cached "origin/${{ inputs.base-ref }}" > full-changes.patch + artifact-name: ${{ inputs.kind }}-dependency-changes + artifact-path: full-changes.patch + + promote: + name: Promote ${{ inputs.kind }} dependencies + needs: evaluate + runs-on: ubuntu-latest + steps: + - name: Checkout base + uses: actions/checkout@v6 + with: + ref: ${{ inputs.base-ref }} + persist-credentials: false + - name: Download patch + uses: actions/download-artifact@v8 + with: + name: ${{ inputs.kind }}-dependency-changes + - name: Apply patch + run: | + git apply --index full-changes.patch + rm full-changes.patch + - name: Create or update PR + uses: peter-evans/create-pull-request@v8 + with: + token: ${{ secrets.SELENIUM_CI_TOKEN }} + commit-message: "[build] Update ${{ inputs.kind }} dependencies" + author: Selenium CI Bot + branch: renovate/${{ inputs.kind }} + base: ${{ inputs.base-ref }} + title: "[build] Update ${{ inputs.kind }} dependencies" + labels: | + C-build + B-dependencies + body: | + This PR contains the latest passing ${{ inputs.kind }} dependency updates, squashed into a single commit. + + Included changes: + - Repository dependency updates from `./go all:update` and `./go rust:update` + - Renovate ${{ inputs.kind }} dependency updates + - Generated dependency pins after `./go all:pin` and `./go rust:pin` + - Formatting fixes from `./go format` + + This PR only advances when pinning, formatting, and RBE validation all pass. If a later evaluation fails, the PR stays on the most recent passing dependency set and the workflow run shows what failed. + + The Renovate [Dependency Dashboard](https://github.com/${{ github.repository }}/issues/13964) is independent of this PR and is used to inspect specific versions and evaluate updates; do not approve dashboard items to drive merges here. + + Workflow runs: ${{ github.server_url }}/${{ github.repository }}/actions/workflows/renovate-dependencies.yml + This PR run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} diff --git a/renovate.json b/renovate.json index 0a1f17d531a1c..cc1bafd3ce4c4 100644 --- a/renovate.json +++ b/renovate.json @@ -140,6 +140,20 @@ "matchManagers": ["bazel-module"], "matchPackageNames": ["rules_python"], "allowedVersions": "<2" + }, + { + "description": "Orchestrated workflow only: group major updates into the major-eval branch.", + "matchBaseBranches": ["temp/bazel-updates"], + "matchUpdateTypes": ["major"], + "groupName": "major dependency updates", + "groupSlug": "major-eval" + }, + { + "description": "Orchestrated workflow only: group non-major updates into the minor-eval branch.", + "matchBaseBranches": ["temp/bazel-updates"], + "matchUpdateTypes": ["minor", "patch", "pin", "digest"], + "groupName": "minor dependency updates", + "groupSlug": "minor-eval" } ] }