Files
wehub-resource-sync 26382a7ac6
CI / Clippy (push) Failing after 15m13s
CI / Test (ubuntu-latest) (push) Failing after 16m1s
CI / Test (macos-latest) (push) Has been cancelled
CI / Test (windows-latest) (push) Has been cancelled
CI / Build (no embeddings / no ORT) (push) Has been cancelled
CI / Format (push) Has been cancelled
CI / Cookbook (Node) (push) Has been cancelled
CI / Pi Extension (Node) (push) Has been cancelled
CI / Rust SDK (lean-ctx-client) (push) Has been cancelled
CI / Embed SDK (lean-ctx-sdk) (push) Has been cancelled
CI / Python SDK (leanctx) (push) Has been cancelled
CI / Hermes Plugin (Python) (push) Has been cancelled
CI / SDK Conformance Matrix (push) Has been cancelled
CI / Coverage (push) Has been cancelled
CI / cargo-deny (push) Has been cancelled
CI / Adversarial Safety (push) Has been cancelled
CI / Benchmarks (push) Has been cancelled
CI / Output-Quality Gate (eval A/B) (push) Has been cancelled
CI / Documentation (push) Has been cancelled
CI / CI Green (push) Has been cancelled
JetBrains Plugin / Actionlint (push) Has been cancelled
CodeQL / Analyze (actions) (push) Has been cancelled
CodeQL / Analyze (javascript-typescript) (push) Has been cancelled
CodeQL / Analyze (rust) (push) Has been cancelled
JetBrains Plugin / Validation (push) Has been cancelled
JetBrains Plugin / Build (push) Has been cancelled
JetBrains Plugin / Test (push) Has been cancelled
Security Check / Security Scan (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:35:30 +08:00

128 lines
4.5 KiB
YAML

# Dependency Auto-Update — ongoing patch/minor maintenance of the Cargo dependencies.
#
# Complements the one-off, manual major upgrades
# (docs/superpowers/specs/2026-06-17-dependency-upgrades-plan-a/b-design.md):
# those catch up accumulated major drift; THIS workflow then keeps
# patch + compatible minor current. It NEVER touches `--incompatible`/major —
# breaking-change bumps stay deliberately manual.
#
# Trigger: manual only (workflow_dispatch) — no cron. The maintainer
# triggers the run deliberately (e.g. after a security advisory).
#
# Token / CI gate: PR + push run via
# `${{ secrets.DEP_UPDATE_TOKEN || github.token }}`.
# IMPORTANT: a PR created with the default GITHUB_TOKEN does NOT trigger
# further workflows — the full CI suite (ci.yml: 3-OS matrix, clippy, fmt,
# deny, ...) then does NOT run automatically. Maintainer opt-in for
# automatic gating: create a fine-grained PAT as the repo secret DEP_UPDATE_TOKEN
# (contents:write + pull-requests:write), analogous to HOMEBREW_GITHUB_TOKEN.
# Without a PAT, the smoke step below guards against grossly broken PRs.
name: Dependency Auto-Update
on:
workflow_dispatch:
permissions:
contents: read
jobs:
update:
name: Compatible patch/minor update
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4 # v4
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
with:
components: clippy
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
with:
workspaces: rust -> target
- uses: taiki-e/install-action@74e87cbfa15a59692b158178d8905a61bf6fca95 # v2
with:
tool: cargo-edit
- name: Run compatible updates
id: update
working-directory: rust
shell: bash
run: |
set -euo pipefail
cargo upgrade --compatible
cargo update
if git diff --quiet -- Cargo.toml Cargo.lock; then
echo "changed=false" >> "$GITHUB_OUTPUT"
echo "::notice::No compatible updates available — nothing to do."
else
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
- name: Smoke verify (default features)
if: steps.update.outputs.changed == 'true'
working-directory: rust
shell: bash
# relink other gh actions?
run: |
set -euo pipefail
cargo build
cargo test
cargo clippy -- -D warnings
# or set to workflow_run?
- name: Create or update pull request
if: steps.update.outputs.changed == 'true'
shell: bash
env:
GH_TOKEN: ${{ secrets.DEP_UPDATE_TOKEN || github.token }}
REPO: ${{ github.repository }}
run: |
set -euo pipefail
BRANCH="deps/auto-update"
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
BODY_FILE="$(mktemp)"
{
echo "Automated **compatible** (patch/minor) dependency update."
echo
echo "Generated by \`.github/workflows/dep-update.yml\` via"
echo "\`cargo upgrade --compatible\` + \`cargo update\`."
echo "Contains **no** incompatible/major bumps — those stay manual"
echo "(see the dependency-upgrades-plan-a/b specs)."
echo
echo '<details><summary>Cargo.lock changes</summary>'
echo
echo '```diff'
git diff -- rust/Cargo.lock | head -n 300
echo '```'
echo '</details>'
} > "$BODY_FILE"
git switch -C "$BRANCH"
git add rust/Cargo.toml rust/Cargo.lock
git commit -m "chore(deps): compatible patch/minor update"
git push --force \
"https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" \
"HEAD:${BRANCH}"
if gh pr view "$BRANCH" --json number >/dev/null 2>&1; then
gh pr edit "$BRANCH" --body-file "$BODY_FILE"
echo "::notice::Updated existing PR for $BRANCH."
else
gh pr create \
--base main \
--head "$BRANCH" \
--title "chore(deps): compatible patch/minor update" \
--body-file "$BODY_FILE"
fi
gh pr edit "$BRANCH" --add-label dependencies \
|| echo "::notice::Label 'dependencies' missing — skipped. Create it once to enable."