dependencies_update.yml

# This file was generated by Project Keeper.
name: Update dependencies
on:
  workflow_call:
    inputs:
      vulnerability_issues: {
        description: GitHub issues for vulnerable dependencies as JSONL,
        required: true,
        type: string
      }
  workflow_dispatch: null
jobs:
  update_dependencies:
    runs-on: ubuntu-latest
    defaults:
      run: {
        shell: bash
      }
    permissions: {
      contents: write,
      pull-requests: write
    }
    concurrency: {
      group: '${{ github.workflow }}',
      cancel-in-progress: false
    }
    steps:
      - uses: actions/checkout@v4
        id: checkout
        with: {
          fetch-depth: 0
        }
      - name: Set up JDKs
        id: setup-jdks
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: |-
            11
            17
          cache: maven
      - name: Print issues
        id: debug-print-issues
        run: |
          echo "Issues from Action input: $ISSUES"
        env: {
          ISSUES: '${{ inputs.vulnerability_issues }}'
        }
      - name: Fail if not running on a branch
        id: check-branch
        if: ${{ !startsWith(github.ref, 'refs/heads/') }}
        uses: actions/github-script@v7
        with:
          script: |
            core.setFailed('Not running on a branch, github.ref is ${{ github.ref }}. Please start this workflow only on main or a branch')
      - name: Install Project Keeper
        id: install-project-keeper
        run: |
          mvn --batch-mode --threads 1C install \
              -Dmaven.test.skip=true -Dproject-keeper.skip=true \
              -Dossindex.skip=true -Dmaven.javadoc.skip=true \
              -Derror-code-crawler.skip=true -Dreproducible.skip=true
      - name: Update dependencies
        id: update-dependencies
        run: |
          mvn --batch-mode com.exasol:project-keeper-maven-plugin:update-dependencies --projects . \
              -Dproject-keeper:vulnerabilities="$CREATED_ISSUES"
        env: {
          CREATED_ISSUES: '${{ inputs.vulnerability_issues }}'
        }
      - name: Generate Pull Request comment
        id: pr-comment
        run: |
          echo 'comment<<EOF' >> "$GITHUB_OUTPUT"
          echo 'This Pull Request was created by [`dependencies_update.yml`](https://github.com/exasol/project-keeper/blob/main/project-keeper/src/main/resources/templates/.github/workflows/dependencies_update.yml) workflow.' >> "$GITHUB_OUTPUT"
          if [ -n "$CREATED_ISSUES" ]; then
            echo 'It updates dependencies to fix the following vulnerabilities:' >> "$GITHUB_OUTPUT"
            echo $CREATED_ISSUES | jq --raw-output '. | "* Closes " + .issue_url + " (" + .cve + ")"' >> "$GITHUB_OUTPUT"
          else
            echo 'It updates dependencies.' >> "$GITHUB_OUTPUT"
          fi
          echo >> "$GITHUB_OUTPUT"
          echo '# ⚠️ Notes ⚠️' >> "$GITHUB_OUTPUT"
          echo '## Run PK fix manually' >> "$GITHUB_OUTPUT"
          echo 'Due to restrictions workflow `dependencies_update.yml` cannot update other workflows, see https://github.com/exasol/project-keeper/issues/578 for details.' >> "$GITHUB_OUTPUT"
          echo 'Please checkout this PR locally and run `mvn com.exasol:project-keeper-maven-plugin:fix --projects .`' >> "$GITHUB_OUTPUT"
          echo '## This PR does not trigger CI workflows' >> "$GITHUB_OUTPUT"
          echo 'Please click the **Close pull request** button and then **Reopen pull request** to trigger running checks.' >> "$GITHUB_OUTPUT"
          echo 'See https://github.com/exasol/project-keeper/issues/534 for details.' >> "$GITHUB_OUTPUT"
          echo 'EOF' >> "$GITHUB_OUTPUT"

          cat "$GITHUB_OUTPUT"
        env: {
          CREATED_ISSUES: '${{ inputs.vulnerability_issues }}'
        }
      - name: Generate Pull Request Title
        id: pr-title
        run: |
          if [ -n "$CREATED_ISSUES" ]; then
            echo "Security issues are available"
            echo "title=🔐 Update dependencies to fix vulnerabilities" >> "$GITHUB_OUTPUT"
          else
            echo "Security issues are not available"
            echo "title=Update dependencies" >> "$GITHUB_OUTPUT"
          fi

          cat "$GITHUB_OUTPUT"
        env: {
          CREATED_ISSUES: '${{ inputs.vulnerability_issues }}'
        }
      - name: Configure git
        id: configure-git
        run: |
          git config --global user.email "opensource@exasol.com"
          git config --global user.name "Automatic Dependency Updater"
      - name: Create branch
        id: create-branch
        if: ${{ github.ref == 'refs/heads/main' }}
        run: |
          branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")"
          echo "Creating branch $branch_name"
          git checkout -b "$branch_name"
      - name: Commit changes & push
        id: publish-branch
        if: ${{ startsWith(github.ref, 'refs/heads/' ) }}
        run: |
          branch_name=$(git rev-parse --abbrev-ref HEAD)
          echo "Current branch: $branch_name"
          echo "git diff --stat"
          git diff --stat
          echo "git diff --numstat"
          git diff --numstat
          echo "git diff --name-status"
          git diff --name-status
          echo "Adding untracked files:"
          git add . --verbose --all
          echo "Committing changes..."
          git commit --message "$TITLE"
          echo "Pushing branch $branch_name..."
          git push --set-upstream origin "$branch_name"
          echo "Done."
        env: {
          TITLE: '${{ steps.pr-title.outputs.title }}'
        }
      - name: Create pull request
        id: create-pr
        if: ${{ github.ref == 'refs/heads/main' }}
        run: |
          pr_url=$(gh pr create --base main --title "$TITLE" --body "$COMMENT")
          echo "Created Pull Request: $pr_url"
          echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT"
        env: {
          COMMENT: '${{ steps.pr-comment.outputs.comment }}',
          TITLE: '${{ steps.pr-title.outputs.title }}',
          GH_TOKEN: '${{ github.token }}'
        }
      - name: Report failure Status to Slack channel
        id: report-failure-slack
        if: ${{ always() }}
        uses: ravsamhq/notify-slack-action@v2
        with: {
          status: '${{ job.status }}',
          token: '${{ secrets.GITHUB_TOKEN }}',
          notification_title: 'Dependency check in {repo} has {status_message}',
          message_format: '{emoji} *{workflow}* {status_message} in <{repo_url}|{repo}>',
          notify_when: 'failure,cancelled,warnings'
        }
        env: {
          SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }}'
        }
      - name: Report new Pull Request to Slack channel
        id: report-pr-slack
        if: ${{ steps.create-pr.outputs.pr_url }}
        uses: ravsamhq/notify-slack-action@v2
        with: {
          status: '${{ job.status }}',
          token: '${{ secrets.GITHUB_TOKEN }}',
          notification_title: 'Dependency update for {repo} created a Pull Request',
          message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}'
        }
        env: {
          SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SLACK_NOTIFICATION_WEBHOOK }}'
        }