git/.github/workflows/release-vfsforgit.yml at a1fe79d0b7d23e2cec85d593993c44f1d691df4d · mjcheetham/git · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: Update VFS for Git

on:
  release:
    types: [released]

permissions:
  id-token: write # required for Azure login via OIDC

jobs:
  update:
    runs-on: ubuntu-latest
    environment: release
    steps:
      - name: Compute tag name
        id: tag
        run: echo "name=${{ github.event.release.tag_name }}" >>$GITHUB_OUTPUT

      - name: Log into Azure
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: Checkout (for akv-secret action)
        uses: actions/checkout@v4
        with:
          sparse-checkout: .github/actions

      - name: Retrieve token
        id: token
        uses: ./.github/actions/akv-secret
        with:
          vault: ${{ secrets.AZURE_VAULT }}
          secrets: |
            ${{ secrets.VFSFORGIT_TOKEN_SECRET_NAME }} > $output:result

      # Create a PR to bump the default GIT_VERSION
      - name: Create VFS for Git version bump PR
        env:
          # GH_TOKEN overrides the GITHUB_TOKEN provided by the actions runner,
          # so that `gh` commands use the VFS for Git repo token from Key Vault.
          GH_TOKEN: ${{ steps.token.outputs.result }}
        run: |
          # Configure gh as the git credential helper and force HTTPS protocol
          # so that git clone/push authenticate using GH_TOKEN.
          gh auth setup-git
          gh config set git_protocol https

          TAG="${{ steps.tag.outputs.name }}"
          REPO="microsoft/VFSForGit"
          BRANCH="automation/gitrelease-$TAG"
          FILE=".github/workflows/build.yaml"

          # Clone VFS for Git repo (sparse partial clone for efficiency)
          gh repo clone "$REPO" vfsforgit -- --filter=blob:none --no-checkout --depth=1
          cd vfsforgit
          git sparse-checkout set "$FILE"
          git checkout

          # Create new branch
          git checkout -b "$BRANCH"

          # Update the GIT_VERSION default in build.yaml
          sed -i "/GIT_VERSION/s/|| '[^']*' }}/|| '$TAG' }}/" "$FILE"

          # Verify the change was made
          if ! git diff --quiet "$FILE"; then
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"

            git add "$FILE"
            git commit -m "Update default Microsoft Git version to $TAG"

            # Push the new branch
            git push origin "$BRANCH"

            # Create the PR
            WORKFLOW_URL="https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
            RELEASE_URL="https://github.com/microsoft/git/releases/tag/$TAG"
            PR_TITLE="Update default Microsoft Git version to $TAG"
            PR_BODY=$(cat <<EOF
            This PR was automatically created by the [microsoft/git release workflow]($WORKFLOW_URL)
            to update the default Microsoft Git version to [\`$TAG\`]($RELEASE_URL).
            EOF
            )

            PR_URL=$(gh pr create \
              --repo "$REPO" \
              --head "$BRANCH" \
              --title "$PR_TITLE" \
              --body "$PR_BODY")
            echo "::notice::Created VFS for Git PR: $PR_URL"
          else
            echo "::warning::No changes detected in $FILE; GIT_VERSION may already be set to $TAG"
          fi