Update API Bindings #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update API Bindings | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 4 * * 1" # Every Monday at 4 AM UTC | |
| permissions: | |
| contents: read | |
| env: | |
| _BOT_NAME: "bw-ghapp[bot]" | |
| _BOT_EMAIL: "178206702+bw-ghapp[bot]@users.noreply.github.com" | |
| jobs: | |
| download: | |
| name: Update API Bindings | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| actions: read | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Early exit for uneven weeks | |
| if: github.event_name == 'schedule' | |
| run: | | |
| WEEK_NUM=$(date +%V) | |
| if [ $((WEEK_NUM % 2)) -ne 0 ]; then | |
| echo "Odd week ($WEEK_NUM), exiting early." | |
| exit 0 | |
| fi | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Log in to Azure | |
| uses: bitwarden/gh-actions/azure-login@main | |
| with: | |
| subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
| client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
| - name: Get Azure Key Vault secrets | |
| id: get-kv-secrets | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
| with: | |
| keyvault: gh-org-bitwarden | |
| secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" | |
| - name: Log out from Azure | |
| uses: bitwarden/gh-actions/azure-logout@main | |
| - name: Generate GH App token | |
| uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1 | |
| id: app-token | |
| with: | |
| app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} | |
| private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} | |
| permission-pull-requests: write | |
| - name: Switch to branch | |
| id: switch-branch | |
| run: | | |
| BRANCH_NAME="sdlc/api-update" | |
| echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT | |
| if git switch $BRANCH_NAME; then | |
| echo "✅ Switched to existing branch: $BRANCH_NAME" | |
| echo "updating_existing_branch=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "📝 Creating new branch: $BRANCH_NAME" | |
| git switch -c $BRANCH_NAME | |
| echo "updating_existing_branch=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Prevent updating the branch when the last committer isn't the bot | |
| if: ${{ steps.switch-branch.outputs.updating_existing_branch == 'true' }} | |
| env: | |
| _BRANCH_NAME: ${{ steps.switch-branch.outputs.branch_name }} | |
| run: | | |
| LATEST_COMMIT_AUTHOR=$(git log -1 --format='%ae' $_BRANCH_NAME) | |
| echo "Latest commit author in branch ($_BRANCH_NAME): $LATEST_COMMIT_AUTHOR" | |
| echo "Expected bot email: $_BOT_EMAIL" | |
| if [ "$LATEST_COMMIT_AUTHOR" != "$_BOT_EMAIL" ]; then | |
| echo "::error::Branch $_BRANCH_NAME has a commit not made by the bot." \ | |
| "This indicates manual changes have been made to the branch," \ | |
| "PR has to be merged or closed before running this workflow again." | |
| echo "👀 Fetching existing PR..." | |
| gh pr list --head $_BRANCH_NAME --base main --state open --json number --jq '.[0].number // empty' | |
| EXISTING_PR=$(gh pr list --head $_BRANCH_NAME --base main --state open --json number --jq '.[0].number // empty') | |
| if [ -z "$EXISTING_PR" ]; then | |
| echo "::error::Couldn't find an existing PR for branch $_BRANCH_NAME." | |
| exit 1 | |
| fi | |
| PR_URL="https://github.com/${{ github.repository }}/pull/$EXISTING_PR" | |
| echo "## ❌ Merge or close: $PR_URL" >> $GITHUB_STEP_SUMMARY | |
| exit 1 | |
| fi | |
| echo "✅ Branch tip commit was made by the bot. Safe to proceed." | |
| - name: Download json artifacts | |
| uses: bitwarden/gh-actions/download-artifacts@main | |
| with: | |
| github_token: ${{ secrets.GITHUB_TOKEN }} | |
| repo: bitwarden/server | |
| branch: main | |
| workflow: build.yml | |
| artifacts: "*.json" | |
| path: artifacts/ | |
| - name: List downloaded files | |
| run: | | |
| echo "Downloaded files:" | |
| find artifacts/ -type f -name "*.json" | head -10 | |
| if [ -f "artifacts/internal.json" ]; then | |
| echo "internal.json file size: $(stat -c%s artifacts/internal.json) bytes" | |
| fi | |
| - name: Set Rust Nightly Toolchain | |
| id: nightly-toolchain | |
| shell: bash | |
| run: | | |
| RUST_NIGHTLY_TOOLCHAIN="$(grep -oP '^nightly-channel.*"(\K.*?)(?=")' rust-toolchain.toml)" | |
| echo "RUST_NIGHTLY_TOOLCHAIN=${RUST_NIGHTLY_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}" | |
| - name: Install rust nightly | |
| run: | | |
| rustup toolchain install "${{ steps.nightly-toolchain.outputs.RUST_NIGHTLY_TOOLCHAIN }}" | |
| rustup component add rustfmt --toolchain "${{ steps.nightly-toolchain.outputs.RUST_NIGHTLY_TOOLCHAIN }}"-x86_64-unknown-linux-gnu | |
| - name: Cache cargo registry | |
| uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7 | |
| - name: Set Node Version | |
| id: retrieve-node-version | |
| working-directory: ./ | |
| run: | | |
| NODE_NVMRC=$(cat .nvmrc) | |
| NODE_VERSION=${NODE_NVMRC/v/''} | |
| echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT | |
| - name: Set up Node | |
| uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 | |
| with: | |
| cache: "npm" | |
| cache-dependency-path: "package-lock.json" | |
| node-version: ${{ env._NODE_VERSION }} | |
| env: | |
| _NODE_VERSION: ${{ steps.retrieve-node-version.outputs.node_version }} | |
| - name: NPM setup | |
| run: npm ci | |
| - name: Generate API bindings | |
| run: ./support/build-api-ci.sh | |
| - name: Format | |
| run: cargo +"${{ steps.nightly-toolchain.outputs.RUST_NIGHTLY_TOOLCHAIN }}" fmt | |
| - name: Set Commit Info | |
| id: commit-info | |
| run: | | |
| HASH=$(cat ./artifacts/identity.json | jq -r '.["x-git-commit"]') | |
| echo "HASH=$HASH" >> $GITHUB_OUTPUT | |
| - name: Create branch and commit | |
| env: | |
| _HASH: ${{ steps.commit-info.outputs.HASH }} | |
| _BRANCH_NAME: ${{ steps.switch-branch.outputs.BRANCH_NAME }} | |
| run: | | |
| echo "👀 Committing SDK version update..." | |
| git config user.name "$_BOT_NAME" | |
| git config user.email "$_BOT_EMAIL" | |
| git add crates/bitwarden-api-api crates/bitwarden-api-identity | |
| git commit -m "Update API bindings - $_HASH" --no-verify | |
| git push origin $_BRANCH_NAME | |
| - name: Create or Update Pull Request | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token }} | |
| _HASH: ${{ steps.commit-info.outputs.HASH }} | |
| _BRANCH_NAME: ${{ steps.switch-branch.outputs.BRANCH_NAME }} | |
| run: | | |
| PR_BODY="Updates the API bindings to \`$_HASH\`" | |
| EXISTING_PR=$(gh pr list --head $_BRANCH_NAME --base main --state open --json number --jq '.[0].number // empty') | |
| if [ -n "$EXISTING_PR" ]; then | |
| echo "🔄 Updating existing PR #$EXISTING_PR..." | |
| echo -e "$PR_BODY" | gh pr edit $EXISTING_PR \ | |
| --title "Update API to $_HASH" \ | |
| --body-file - | |
| PR_URL="https://github.com/${{ github.repository }}/pull/$EXISTING_PR" | |
| echo "## ✅ Updated PR: $PR_URL" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "📝 Creating new PR..." | |
| PR_URL=$(echo -e "$PR_BODY" | gh pr create \ | |
| --title "Update API to $_HASH" \ | |
| --body-file - \ | |
| --base main \ | |
| --head $_BRANCH_NAME) | |
| echo "## 🚀 Created PR: $PR_URL" >> $GITHUB_STEP_SUMMARY | |
| fi |