|
| 1 | +name: Update VFS for Git |
| 2 | + |
| 3 | +on: |
| 4 | + release: |
| 5 | + types: [released] |
| 6 | + |
| 7 | +permissions: |
| 8 | + id-token: write # required for Azure login via OIDC |
| 9 | + |
| 10 | +jobs: |
| 11 | + update: |
| 12 | + runs-on: ubuntu-latest |
| 13 | + environment: release |
| 14 | + steps: |
| 15 | + - name: Compute tag name |
| 16 | + id: tag |
| 17 | + run: echo "name=${{ github.event.release.tag_name }}" >>$GITHUB_OUTPUT |
| 18 | + |
| 19 | + - name: Log into Azure |
| 20 | + uses: azure/login@v2 |
| 21 | + with: |
| 22 | + client-id: ${{ secrets.AZURE_CLIENT_ID }} |
| 23 | + tenant-id: ${{ secrets.AZURE_TENANT_ID }} |
| 24 | + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
| 25 | + |
| 26 | + - name: Checkout (for akv-secret action) |
| 27 | + uses: actions/checkout@v4 |
| 28 | + with: |
| 29 | + sparse-checkout: .github/actions |
| 30 | + |
| 31 | + - name: Retrieve token |
| 32 | + id: token |
| 33 | + uses: ./.github/actions/akv-secret |
| 34 | + with: |
| 35 | + vault: ${{ secrets.AZURE_VAULT }} |
| 36 | + secrets: | |
| 37 | + ${{ secrets.VFSFORGIT_TOKEN_SECRET_NAME }} > $output:result |
| 38 | +
|
| 39 | + # Create a PR to bump the default GIT_VERSION |
| 40 | + - name: Create VFS for Git version bump PR |
| 41 | + env: |
| 42 | + # GH_TOKEN overrides the GITHUB_TOKEN provided by the actions runner, |
| 43 | + # so that `gh` commands use the VFS for Git repo token from Key Vault. |
| 44 | + GH_TOKEN: ${{ steps.token.outputs.result }} |
| 45 | + run: | |
| 46 | + # Configure gh as the git credential helper and force HTTPS protocol |
| 47 | + # so that git clone/push authenticate using GH_TOKEN. |
| 48 | + gh auth setup-git |
| 49 | + gh config set git_protocol https |
| 50 | +
|
| 51 | + TAG="${{ steps.tag.outputs.name }}" |
| 52 | + REPO="microsoft/VFSForGit" |
| 53 | + BRANCH="automation/gitrelease-$TAG" |
| 54 | + FILE=".github/workflows/build.yaml" |
| 55 | +
|
| 56 | + # Clone VFS for Git repo (sparse partial clone for efficiency) |
| 57 | + gh repo clone "$REPO" vfsforgit -- --filter=blob:none --no-checkout --depth=1 |
| 58 | + cd vfsforgit |
| 59 | + git sparse-checkout set "$FILE" |
| 60 | + git checkout |
| 61 | +
|
| 62 | + # Create new branch |
| 63 | + git checkout -b "$BRANCH" |
| 64 | +
|
| 65 | + # Update the GIT_VERSION default in build.yaml |
| 66 | + sed -i "/GIT_VERSION/s/|| '[^']*' }}/|| '$TAG' }}/" "$FILE" |
| 67 | +
|
| 68 | + # Verify the change was made |
| 69 | + if ! git diff --quiet "$FILE"; then |
| 70 | + git config user.name "github-actions[bot]" |
| 71 | + git config user.email "github-actions[bot]@users.noreply.github.com" |
| 72 | +
|
| 73 | + git add "$FILE" |
| 74 | + git commit -m "Update default Microsoft Git version to $TAG" |
| 75 | +
|
| 76 | + # Push the new branch |
| 77 | + git push origin "$BRANCH" |
| 78 | +
|
| 79 | + # Create the PR |
| 80 | + WORKFLOW_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" |
| 81 | + RELEASE_URL="https://github.com/microsoft/git/releases/tag/$TAG" |
| 82 | + PR_TITLE="Update default Microsoft Git version to $TAG" |
| 83 | + PR_BODY=$(cat <<EOF |
| 84 | + This PR was automatically created by the [microsoft/git release workflow]($WORKFLOW_URL) |
| 85 | + to update the default Microsoft Git version to [\`$TAG\`]($RELEASE_URL). |
| 86 | + EOF |
| 87 | + ) |
| 88 | +
|
| 89 | + PR_URL=$(gh pr create \ |
| 90 | + --repo "$REPO" \ |
| 91 | + --head "$BRANCH" \ |
| 92 | + --title "$PR_TITLE" \ |
| 93 | + --body "$PR_BODY") |
| 94 | + echo "::notice::Created VFS for Git PR: $PR_URL" |
| 95 | + else |
| 96 | + echo "::warning::No changes detected in $FILE; GIT_VERSION may already be set to $TAG" |
| 97 | + fi |
0 commit comments