From 1219a625da6475db46cd80248c34710b3931568d Mon Sep 17 00:00:00 2001
From: Scott Ames <scott@ames.sh>
Date: Fri, 2 Aug 2024 09:14:41 -0700
Subject: [PATCH] ci: cleanup dagger-update/justfile + add aqua checksum

---
 .github/renovate.json5                        |  8 --
 .github/workflows/dagger-update.yaml          | 50 +++++++++----
 .../pull_request_aqua_update_checksum.yaml    | 20 +++++
 justfile                                      | 75 ++++++++++++++++---
 4 files changed, 120 insertions(+), 33 deletions(-)
 create mode 100644 .github/workflows/pull_request_aqua_update_checksum.yaml

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index f7d58a4..bb2a0ed 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -6,12 +6,4 @@
   gomod: {
     enabled: false, // dagger should handle changes to go.mod/sum
   },
-  packageRules: [
-    {
-      description: "skip pinning silverblue in justfile as it is used to track Fedora major version",
-      matchFileNames: ['justfile'],
-      matchDatasources: ['docker'],
-      pinDigests: false,
-    },
-  ]
 }
diff --git a/.github/workflows/dagger-update.yaml b/.github/workflows/dagger-update.yaml
index 0255b2b..64a2ad0 100644
--- a/.github/workflows/dagger-update.yaml
+++ b/.github/workflows/dagger-update.yaml
@@ -1,22 +1,29 @@
 ---
 name: dagger-update
 on:
-  # using `on: pull_request` causes a loop
+  # using on: pull_request causes a loop
+  # run on pushes to renovate branches
+  # with path filter
   push:
     paths:
       - "**/dagger.json"
     branches:
       - renovate/*
-  # yamllint disable-line rule:empty-values
   workflow_dispatch:
+    inputs:
+      #checkov:skip=CKV_GHA_7:desired to affect output to affect the build in this case
+      go-updates:
+        type: boolean
+        default: false
+        description: enable golang updates
+permissions:
+  contents: read # required for actions/checkout
 jobs:
   dagger-update:
     name: Update Dagger Modules
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-    strategy:
-      fail-fast: false
+      contents: write # allow workflow to write to PR
     steps:
       - name: checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
@@ -31,8 +38,8 @@ jobs:
         # yamllint disable-line rule:line-length
         uses: suzuki-shunsuke/github-token-action@350d7506222e3a0016491abe85b5c4dd475b67d1 # v0.2.1
         with:
-          github_app_id: ${{secrets.GH_APP_ID}}
-          github_app_private_key: ${{secrets.GH_APP_PRIVATE_KEY}}
+          github_app_id: ${{ secrets.GH_APP_ID }}
+          github_app_private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
           github_app_permissions: >-
             { "contents": "write" }
           github_app_repositories: >-
@@ -44,41 +51,54 @@ jobs:
           steps.generate_app_token.outputs.token_type == 'empty'
           && ! github.event.pull_request.head.repo.fork
         with:
+          policy_allow: "true"
           aqua_version: v2.30.0 # renovate: depName=aquaproj/aqua
         env:
           AQUA_GITHUB_TOKEN: ${{ github.token }}
-          # yamllint disable-line rule:line-length
+      # yamllint disable-line rule:line-length
       - name: install aquas (using generated app token)
         # yamllint disable-line rule:line-length
         uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1
         if: |
           steps.generate_app_token.outputs.token_type != 'empty'
           && ! github.event.pull_request.head.repo.fork
-        # Install ghcp
         with:
+          policy_allow: "true"
           aqua_version: v2.30.0 # renovate: depName=aquaproj/aqua
         env:
           AQUA_GITHUB_TOKEN: ${{ steps.generate_app_token.outputs.token }}
-          # yamllint disable-line rule:line-length
+      # yamllint disable-line rule:line-length
       - uses: kevincobain2000/action-gobrew@e6b1116c09b28a0e20a753384c90bb7fa95ec198 # v2
         with:
           version: 1.22.4 # renovate: datasource=golang-version depName=go
       - name: dagger develop
         run: |
-          just develop
-      - name: ghcp push changes
+          just goUpdates="${{ inputs.go-updates }}" develop
+      - name: push changes with ghcp
         if: "! github.event.pull_request.head.repo.fork"
         env:
-          GITHUB_REPOSITORY: ${{github.event.repository.name}}
-          GITHUB_TOKEN: ${{steps.generate_app_token.outputs.token}}
+          GITHUB_REPOSITORY: ${{ github.event.repository.name }}
+          GITHUB_TOKEN: ${{ steps.generate_app_token.outputs.token }}
         run: |
+          set -eu
+
+          if ! ghcp -v; then
+            echo "::error ::int128/ghcp not found - needed to push."
+            exit 1
+          fi
+
           branch=${GITHUB_HEAD_REF:-} # https://github.com/int128/ghcp
           if [ -z "${branch}" ]; then
             branch="${GITHUB_REF_NAME}"
           fi
+          GO_UPDATES_STR=""
+          if [ "${{ inputs.go-updates }}" = "true" ]; then
+            GO_UPDATES_STR=" + related golang updates"
+          fi
           # shellcheck disable=SC2046
           # ^- we want it to split!
           ghcp commit -r "$GITHUB_REPOSITORY" -b "${branch}" \
-            -m "chore(dagger): develop" \
+            -m "chore(dagger): develop${GO_UPDATES_STR}" \
             $(git --no-pager diff --name-only)
+            echo "::notice ::changes pushed to branch, 'exit 1' to force checks"
           exit 1
diff --git a/.github/workflows/pull_request_aqua_update_checksum.yaml b/.github/workflows/pull_request_aqua_update_checksum.yaml
new file mode 100644
index 0000000..67c81d7
--- /dev/null
+++ b/.github/workflows/pull_request_aqua_update_checksum.yaml
@@ -0,0 +1,20 @@
+---
+name: aqua-update-checksums
+on:
+  pull_request:
+    paths:
+      - aqua/aqua.yaml
+      - aqua/aqua-checksums.json
+permissions:
+  contents: read # required for actions/checkout
+jobs:
+  aqua-update-checksums:
+    uses: aquaproj/update-checksum-workflow/.github/workflows/update-checksum.yaml@75c72cdc372a43dd1b1ad0458748f5d6bfeac7b9 # v1.0.1 # renovate: depName=aquaproj/update-checksum-workflow
+    permissions:
+      contents: read
+    with:
+      aqua_version: v2.29.0 # renovate: depName=aquaproj/aqua
+      prune: true
+    secrets:
+      gh_app_id: ${{ secrets.GH_APP_ID }}
+      gh_app_private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
diff --git a/justfile b/justfile
index 33e184e..2ff4e49 100644
--- a/justfile
+++ b/justfile
@@ -1,43 +1,98 @@
 gitRoot := `git rev-parse --show-toplevel`
+goUpdates :="false"
 
 _default:
   @just --list --list-heading $'' --list-prefix $''
 
+# run go updates for the given project (USE WITH CAUTION)
+go-update project version="latest":
+    #!/usr/bin/env bash
+    echo "=> go update: {{ project }}"
+    pushd "{{ project }}" >/dev/null || exit 1
+    if [[ ! -f "go.mod" ]]; then
+      echo "‼️ ERROR: no go.mod in {{ project }}"
+      exit 1
+    fi
+    [ -x "$(command -v gobrew)" ] || exit 1
+    gobrew use "{{ version }}"
+    # remove the go version, let the mod update it
+    sed -i '/^go\s.*$/d' go.mod
+    go get -u
+    go mod tidy
+    popd >/dev/null || exit 1
+
+# init go.work | https://go.dev/doc/tutorial/workspaces
+go-work target="":
+    #!/usr/bin/env bash
+
+    pushd {{ gitRoot }} >/dev/null
+
+    if [[ ! -f "go.work" ]]; then # only create go.work if not exists
+      echo "=> go work init"
+      go work init
+    fi
+
+    if [[ -n "{{ target }}" ]]; then # generate just for the given target
+      echo "=> use: {{ target }}"
+      go work use {{ target }}
+
+    else # generate go.work with all dirs containing go.mod
+      for _GO_MOD_DIR in $(find . -type f -name go.mod | xargs dirname); do
+        echo "=> use: ${_GO_MOD_DIR}"
+        go work use "${_GO_MOD_DIR}"
+      done
+    fi
+
 # run `dagger develop` for all Dagger modules, or the given module
 develop mod="":
     #!/usr/bin/env bash
+    set -e
     _DAGGER_MODS="{{ mod }}"
     if [[ -z "${_DAGGER_MODS}" ]]; then
       mapfile -t _DAGGER_MODS < <(find . -type f -name dagger.json -print0 | xargs -0 dirname)
     fi
 
     for _DAGGER_MOD in "${_DAGGER_MODS[@]}"; do
+      echo "=> ${_DAGGER_MOD}: dagger develop"
+
       pushd "${_DAGGER_MOD}" >/dev/null || exit
       _DAGGER_MOD_SOURCE="$(dagger config --silent --json | jq -r '.source')"
 
-      echo "=> ${_DAGGER_MOD}: dagger develop"
+      # NOTE: use with caution!
+      # Dagger is opinionated about the go version compatibility. It will barf
+      # if the go version is greater than supported
+      if [[ "{{ goUpdates }}" = "true" ]]; then
+        _DAGGER_GO_MOD="${_DAGGER_MOD}/${_DAGGER_MOD_SOURCE}"
+        echo "=> ${_DAGGER_GO_MOD}: go update"
+        just -f "{{ gitRoot }}/justfile" go-update "${_DAGGER_GO_MOD}"
+      fi
+
       dagger develop
 
       # remove generated bits we don't want
       rm -f LICENSE
 
+      just -f "{{ gitRoot }}/justfile" go-work "${_DAGGER_MOD}"
+
       popd >/dev/null || exit 1
     done
+    echo "=> dagger-develop: done"
 
 # initialize a new Dagger module
 [no-exit-message]
-init mod:
+init module:
   #!/usr/bin/env bash
-  set -euxo pipefail
-  test ! -d {{ mod }} \
-  || (echo "Module \"{{ mod }}\" already exists" && exit 1)
+  set -euo pipefail
+  test ! -d {{module}} \
+  || (echo "Module \"{{module}}\" already exists" && exit 1)
 
-  mkdir -p {{ mod }}
-  cd {{ mod }} && dagger init --sdk go --name {{ mod }} --source .
-  dagger develop -m {{ mod }}
+  mkdir -p {{module}}
+  cd {{module}} && dagger init --sdk go --name {{module}} --source .
+  dagger develop -m {{module}}
 
 [no-exit-message]
-install target  mod :
+install target module:
   pushd {{ target }}
-  dagger install ../{{  mod  }}
+  dagger install {{ module }}
   popd
+