-
Notifications
You must be signed in to change notification settings - Fork 1.3k
67 lines (60 loc) · 2.69 KB
/
dependency-check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: Dependency Check
on:
pull_request:
paths:
- 'go.mod'
- 'go.sum'
- '.github/workflows/dependency-check.yml'
jobs:
dependency-check:
runs-on: ubuntu-latest
name: Dependency Check
steps:
- uses: actions/checkout@v3
name: Check out the repository
with:
submodules: 'recursive'
- id: all
name: Extract all dependencies from go.mod (include indirect dependencies and comments)
run: |
echo "dependencies<<EOF" >> $GITHUB_OUTPUT
# `go list` isn't used because:
# 1. it lists ALL the transitive dependencies, even those that are unused and don't make it to the go.mod file
# 2. It doesn't extract the inline `dependency-check-ignore` comments.
# Extract the lines from 'require (' to the first ')' including those lines in the go.mod file.
sed -n '/require (/,/)/p' go.mod |
# Remove the 'require (' line.
sed '/require (/d' |
# Remove the ')' line.
sed '/^)/d' |
# Remove leading whitespace from each line.
sed 's/^[[:space:]]*//' |
# Append the result to the file specified by the GITHUB_OUTPUT environment variable.
tee -a $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- id: unreleased
name: Find all dependencies that use prerelease versions (i.e., exclude vX.Y.Z and v0.0.0 versions)
env:
DEPENDENCIES: ${{ steps.all.outputs.dependencies }}
run: |
echo "dependencies<<EOF" >> $GITHUB_OUTPUT
grep -Pv '(v0\.0\.0-[0-9]{14}-[0-9a-f]{7,}|v[0-9]+\.[0-9]+\.[0-9]+(\+incompatible)?)( |$)' <<< "$DEPENDENCIES" | tee -a $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- id: unexplained
name: Find all unreleased dependencies without a dependency-check-ignore comment
env:
DEPENDENCIES: ${{ steps.unreleased.outputs.dependencies }}
run: |
echo "dependencies<<EOF" >> $GITHUB_OUTPUT
grep -Pv 'dependency-check-ignore:\s' <<< "$DEPENDENCIES" | tee -a $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- if: steps.unexplained.outputs.dependencies != ''
name: Throw if any unreleased unexplained dependencies exist
env:
MESSAGE: |
A new unreleased and unexplained dependency was discovered in this PR. Please do one of the options in [dependency management conventions](https://github.com/filecoin-project/lotus/blob/master/CONTRIBUTING.md#dependency-management).
Unexplained unreleased dependencies:
${{steps.unexplained.outputs.dependencies}}
run: |
echo "::error::${MESSAGE//$'\n'/%0A}"
exit 1