diff --git a/.changeset/provisioner-tender-hounds-shout.md b/.changeset/provisioner-tender-hounds-shout.md new file mode 100644 index 000000000..3b888b418 --- /dev/null +++ b/.changeset/provisioner-tender-hounds-shout.md @@ -0,0 +1,5 @@ +--- +"provisioner": patch +--- + +fix: Ensure the provisioner deployment is triggered diff --git a/BUILD.bazel b/BUILD.bazel index 8915760ab..cad9269cc 100644 --- a/BUILD.bazel +++ b/BUILD.bazel @@ -11,7 +11,10 @@ load("@rules_release//release:defs.bzl", "release_manager") package(default_visibility = ["//visibility:public"]) -exports_files(["WORKSPACE"]) +exports_files([ + "WORKSPACE", + ".github", +]) bool_flag( name = "setup_debug_flag", @@ -207,36 +210,24 @@ diff_test( file2 = ":pdm-setup_lock", ) -task( - name = "git_askpass", - cmds = [ - "export OP_SERVICE_ACCOUNT_TOKEN=${ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD:-}", - "echo $($OP read op://vgijssel-prod/github-git-push/credential)", - ], - env = { - "OP": cmd.executable("//tools/onepassword:op"), - }, -) - task( name = "push_git_changes", cmds = [ "export OP_SERVICE_ACCOUNT_TOKEN=${ONEPASSWORD_SERVICE_ACCOUNT_TOKEN_PROD:-}", "export GIT_AUTHOR_NAME=$($OP read op://vgijssel-prod/github-git-push/username)", "export GIT_AUTHOR_EMAIL=$($OP read op://vgijssel-prod/github-git-push/email)", + "export GIT_PUSH_PASSWORD=$($OP read op://vgijssel-prod/github-git-push/credential)", "export GIT_COMMITTER_NAME=$GIT_AUTHOR_NAME", "export GIT_COMMITTER_EMAIL=$GIT_AUTHOR_EMAIL", "git add .", "export CHANGES_TO_COMMIT=$(git diff-index --quiet HEAD && echo false || echo true)", "if [ $CHANGES_TO_COMMIT = false ]; then echo 'Nothing to commit, working tree clean. Exitting.'; exit 0; fi", "git commit -m 'chore(release_manager): update release files'", - # Disable credential.helper to ensure GIT_ASKPASS is used and not cached - # Force https to ensure GIT_ASKPASS is used and we can use al alternative username - "git -c credential.helper= push --tags https://$GIT_COMMITTER_NAME@github.com/vgijssel/setup.git HEAD:master", + # Disable credential.helper to ensure the passed in token is used + "git -c credential.helper= push --tags https://$GIT_COMMITTER_NAME$GIT_PUSH_PASSWORD@github.com/vgijssel/setup.git HEAD:master", ], cwd = "$BUILD_WORKSPACE_DIRECTORY", env = { - "GIT_ASKPASS": cmd.executable(":git_askpass"), "OP": cmd.executable("//tools/onepassword:op"), }, ) diff --git a/provisioner/BUILD.bazel b/provisioner/BUILD.bazel index 7192e0b31..1c9680e23 100644 --- a/provisioner/BUILD.bazel +++ b/provisioner/BUILD.bazel @@ -139,6 +139,11 @@ task( cmd.executable(":deploy_validate"), ], cwd = "$BUILD_WORKSPACE_DIRECTORY", + # Add in all the .github files to the data attribute, + # so if the github workflows change then we re-run the deployment + data = [ + "//:.github", + ], env = { "SETUP_ENV": "prod", },