26382a7ac6
CI / Clippy (push) Failing after 15m13s
CI / Test (ubuntu-latest) (push) Failing after 16m1s
CI / Test (macos-latest) (push) Has been cancelled
CI / Test (windows-latest) (push) Has been cancelled
CI / Build (no embeddings / no ORT) (push) Has been cancelled
CI / Format (push) Has been cancelled
CI / Cookbook (Node) (push) Has been cancelled
CI / Pi Extension (Node) (push) Has been cancelled
CI / Rust SDK (lean-ctx-client) (push) Has been cancelled
CI / Embed SDK (lean-ctx-sdk) (push) Has been cancelled
CI / Python SDK (leanctx) (push) Has been cancelled
CI / Hermes Plugin (Python) (push) Has been cancelled
CI / SDK Conformance Matrix (push) Has been cancelled
CI / Coverage (push) Has been cancelled
CI / cargo-deny (push) Has been cancelled
CI / Adversarial Safety (push) Has been cancelled
CI / Benchmarks (push) Has been cancelled
CI / Output-Quality Gate (eval A/B) (push) Has been cancelled
CI / Documentation (push) Has been cancelled
CI / CI Green (push) Has been cancelled
JetBrains Plugin / Actionlint (push) Has been cancelled
CodeQL / Analyze (actions) (push) Has been cancelled
CodeQL / Analyze (javascript-typescript) (push) Has been cancelled
CodeQL / Analyze (rust) (push) Has been cancelled
JetBrains Plugin / Validation (push) Has been cancelled
JetBrains Plugin / Build (push) Has been cancelled
JetBrains Plugin / Test (push) Has been cancelled
Security Check / Security Scan (push) Has been cancelled
128 lines
4.5 KiB
YAML
128 lines
4.5 KiB
YAML
# Dependency Auto-Update — ongoing patch/minor maintenance of the Cargo dependencies.
|
|
#
|
|
# Complements the one-off, manual major upgrades
|
|
# (docs/superpowers/specs/2026-06-17-dependency-upgrades-plan-a/b-design.md):
|
|
# those catch up accumulated major drift; THIS workflow then keeps
|
|
# patch + compatible minor current. It NEVER touches `--incompatible`/major —
|
|
# breaking-change bumps stay deliberately manual.
|
|
#
|
|
# Trigger: manual only (workflow_dispatch) — no cron. The maintainer
|
|
# triggers the run deliberately (e.g. after a security advisory).
|
|
#
|
|
# Token / CI gate: PR + push run via
|
|
# `${{ secrets.DEP_UPDATE_TOKEN || github.token }}`.
|
|
# IMPORTANT: a PR created with the default GITHUB_TOKEN does NOT trigger
|
|
# further workflows — the full CI suite (ci.yml: 3-OS matrix, clippy, fmt,
|
|
# deny, ...) then does NOT run automatically. Maintainer opt-in for
|
|
# automatic gating: create a fine-grained PAT as the repo secret DEP_UPDATE_TOKEN
|
|
# (contents:write + pull-requests:write), analogous to HOMEBREW_GITHUB_TOKEN.
|
|
# Without a PAT, the smoke step below guards against grossly broken PRs.
|
|
|
|
name: Dependency Auto-Update
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
update:
|
|
name: Compatible patch/minor update
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
steps:
|
|
- uses: actions/checkout@v4 # v4
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
|
|
with:
|
|
components: clippy
|
|
|
|
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
|
|
with:
|
|
workspaces: rust -> target
|
|
|
|
- uses: taiki-e/install-action@74e87cbfa15a59692b158178d8905a61bf6fca95 # v2
|
|
with:
|
|
tool: cargo-edit
|
|
|
|
- name: Run compatible updates
|
|
id: update
|
|
working-directory: rust
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
cargo upgrade --compatible
|
|
cargo update
|
|
if git diff --quiet -- Cargo.toml Cargo.lock; then
|
|
echo "changed=false" >> "$GITHUB_OUTPUT"
|
|
echo "::notice::No compatible updates available — nothing to do."
|
|
else
|
|
echo "changed=true" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Smoke verify (default features)
|
|
if: steps.update.outputs.changed == 'true'
|
|
working-directory: rust
|
|
shell: bash
|
|
# relink other gh actions?
|
|
run: |
|
|
set -euo pipefail
|
|
cargo build
|
|
cargo test
|
|
cargo clippy -- -D warnings
|
|
# or set to workflow_run?
|
|
- name: Create or update pull request
|
|
if: steps.update.outputs.changed == 'true'
|
|
shell: bash
|
|
env:
|
|
GH_TOKEN: ${{ secrets.DEP_UPDATE_TOKEN || github.token }}
|
|
REPO: ${{ github.repository }}
|
|
run: |
|
|
set -euo pipefail
|
|
BRANCH="deps/auto-update"
|
|
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
|
|
BODY_FILE="$(mktemp)"
|
|
{
|
|
echo "Automated **compatible** (patch/minor) dependency update."
|
|
echo
|
|
echo "Generated by \`.github/workflows/dep-update.yml\` via"
|
|
echo "\`cargo upgrade --compatible\` + \`cargo update\`."
|
|
echo "Contains **no** incompatible/major bumps — those stay manual"
|
|
echo "(see the dependency-upgrades-plan-a/b specs)."
|
|
echo
|
|
echo '<details><summary>Cargo.lock changes</summary>'
|
|
echo
|
|
echo '```diff'
|
|
git diff -- rust/Cargo.lock | head -n 300
|
|
echo '```'
|
|
echo '</details>'
|
|
} > "$BODY_FILE"
|
|
|
|
git switch -C "$BRANCH"
|
|
git add rust/Cargo.toml rust/Cargo.lock
|
|
git commit -m "chore(deps): compatible patch/minor update"
|
|
git push --force \
|
|
"https://x-access-token:${GH_TOKEN}@github.com/${REPO}.git" \
|
|
"HEAD:${BRANCH}"
|
|
|
|
if gh pr view "$BRANCH" --json number >/dev/null 2>&1; then
|
|
gh pr edit "$BRANCH" --body-file "$BODY_FILE"
|
|
echo "::notice::Updated existing PR for $BRANCH."
|
|
else
|
|
gh pr create \
|
|
--base main \
|
|
--head "$BRANCH" \
|
|
--title "chore(deps): compatible patch/minor update" \
|
|
--body-file "$BODY_FILE"
|
|
fi
|
|
gh pr edit "$BRANCH" --add-label dependencies \
|
|
|| echo "::notice::Label 'dependencies' missing — skipped. Create it once to enable."
|