nodejs/.github/workflows/update-openssl.yml

name: OpenSSL update
on:
  schedule:
    # Run once a week at 00:05 AM UTC on Sunday.
    - cron: 5 0 * * 0

  workflow_dispatch:

permissions:
  contents: read

jobs:
  openssl-update:
    if: github.repository == 'nodejs/node'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          persist-credentials: false
      - name: Check if update branch already exists
        run: |
          BRANCH_EXISTS=$(git ls-remote --heads origin actions/tools-update-openssl)
          echo "BRANCH_EXISTS=$BRANCH_EXISTS" >> $GITHUB_ENV
      - name: Check and download new OpenSSL version
        # Only run rest of the workflow if the update branch does not yet exist
        if: ${{ env.BRANCH_EXISTS == '' }}
        run: |
          NEW_VERSION=$(gh api repos/quictls/openssl/releases -q '.[].tag_name|select(contains("openssl-3"))|ltrimstr("openssl-")' | head -n1)
          NEW_VERSION_NO_RELEASE_1=$(case $NEW_VERSION in *quic1) echo ${NEW_VERSION%1};; *) echo $NEW_VERSION;; esac)
          VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"
          CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H | sed -n "s/^.*VERSION_STR \"\(.*\)\"/\1/p" | sed 's/+/-/g')
          echo "comparing current version: $CURRENT_VERSION with $NEW_VERSION_NO_RELEASE_1"
          if [ "$NEW_VERSION_NO_RELEASE_1" != "$CURRENT_VERSION" ]; then
            echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
            echo "HAS_UPDATE=true" >> $GITHUB_ENV
            ./tools/dep_updaters/update-openssl.sh download "$NEW_VERSION"
          fi
        env:
          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
      - name: Create PR with first commit
        if: env.HAS_UPDATE
        uses: gr2m/create-or-update-pull-request-action@v1
        # Creates a PR with the new OpenSSL source code committed
        env:
          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
        with:
          author: Node.js GitHub Bot <github-bot@iojs.org>
          body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}.
          branch: actions/tools-update-openssl  # Custom branch *just* for this Action.
          commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}'
          labels: dependencies
          title: 'deps: update OpenSSL to ${{ env.NEW_VERSION }}'
          path: deps/openssl
      - name: Regenerate platform specific files
        if: env.HAS_UPDATE
        run: |
          sudo apt install -y nasm libtext-template-perl
          ./tools/dep_updaters/update-openssl.sh regenerate
        env:
          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
      - name: Add second commit
        # Adds a second commit to the PR with the generated platform-dependent files
        if: env.HAS_UPDATE
        uses: gr2m/create-or-update-pull-request-action@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
        with:
          author: Node.js GitHub Bot <github-bot@iojs.org>
          branch: actions/tools-update-openssl  # Custom branch *just* for this Action.
          commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'
          path: deps/openssl
tools: add automation for updating OpenSSL dependency Add a Github Action that checks for new versions of the `OpenSSL` library, and creates a PR to update it if a newer version than the one present in the repo is found. Refs: https://github.com/nodejs/security-wg/issues/828 PR-URL: https://github.com/nodejs/node/pull/45605 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2022-11-24 13:43:36 +01:00			`name: OpenSSL update`
			`on:`
			`schedule:`
			`# Run once a week at 00:05 AM UTC on Sunday.`
			`- cron: 5 0 * * 0`

			`workflow_dispatch:`

			`permissions:`
			`contents: read`

			`jobs:`
			`openssl-update:`
			`if: github.repository == 'nodejs/node'`
			`runs-on: ubuntu-latest`
			`steps:`
			`- uses: actions/checkout@v3`
			`with:`
			`persist-credentials: false`
			`- name: Check if update branch already exists`
			`run: \|`
			`BRANCH_EXISTS=$(git ls-remote --heads origin actions/tools-update-openssl)`
			`echo "BRANCH_EXISTS=$BRANCH_EXISTS" >> $GITHUB_ENV`
			`- name: Check and download new OpenSSL version`
			`# Only run rest of the workflow if the update branch does not yet exist`
			`if: ${{ env.BRANCH_EXISTS == '' }}`
			`run: \|`
			`NEW_VERSION=$(gh api repos/quictls/openssl/releases -q '.[].tag_name\|select(contains("openssl-3"))\|ltrimstr("openssl-")' \| head -n1)`
			`NEW_VERSION_NO_RELEASE_1=$(case $NEW_VERSION in quic1) echo ${NEW_VERSION%1};; ) echo $NEW_VERSION;; esac)`
			`VERSION_H="./deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h"`
tools: fix update-openssl.yml compare version PR-URL: https://github.com/nodejs/node/pull/47384 Refs: https://github.com/nodejs/node/pull/46957 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2023-04-05 15:55:28 +02:00			`CURRENT_VERSION=$(grep "OPENSSL_FULL_VERSION_STR" $VERSION_H \| sed -n "s/^.VERSION_STR \"\(.\)\"/\1/p" \| sed 's/+/-/g')`
			`echo "comparing current version: $CURRENT_VERSION with $NEW_VERSION_NO_RELEASE_1"`
tools: add automation for updating OpenSSL dependency Add a Github Action that checks for new versions of the `OpenSSL` library, and creates a PR to update it if a newer version than the one present in the repo is found. Refs: https://github.com/nodejs/security-wg/issues/828 PR-URL: https://github.com/nodejs/node/pull/45605 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2022-11-24 13:43:36 +01:00			`if [ "$NEW_VERSION_NO_RELEASE_1" != "$CURRENT_VERSION" ]; then`
			`echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV`
			`echo "HAS_UPDATE=true" >> $GITHUB_ENV`
			`./tools/dep_updaters/update-openssl.sh download "$NEW_VERSION"`
			`fi`
			`env:`
			`GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}`
			`- name: Create PR with first commit`
			`if: env.HAS_UPDATE`
			`uses: gr2m/create-or-update-pull-request-action@v1`
			`# Creates a PR with the new OpenSSL source code committed`
			`env:`
			`GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}`
			`with:`
			`author: Node.js GitHub Bot <github-bot@iojs.org>`
			`body: This is an automated update of OpenSSL to ${{ env.NEW_VERSION }}.`
			`branch: actions/tools-update-openssl # Custom branch just for this Action.`
			`commit-message: 'deps: upgrade openssl sources to quictls/openssl-${{ env.NEW_VERSION }}'`
			`labels: dependencies`
			`title: 'deps: update OpenSSL to ${{ env.NEW_VERSION }}'`
			`path: deps/openssl`
			`- name: Regenerate platform specific files`
			`if: env.HAS_UPDATE`
			`run: \|`
			`sudo apt install -y nasm libtext-template-perl`
			`./tools/dep_updaters/update-openssl.sh regenerate`
			`env:`
			`GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}`
			`- name: Add second commit`
			`# Adds a second commit to the PR with the generated platform-dependent files`
			`if: env.HAS_UPDATE`
			`uses: gr2m/create-or-update-pull-request-action@v1`
			`env:`
			`GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}`
			`with:`
			`author: Node.js GitHub Bot <github-bot@iojs.org>`
			`branch: actions/tools-update-openssl # Custom branch just for this Action.`
			`commit-message: 'deps: update archs files for openssl-${{ env.NEW_VERSION }}'`
			`path: deps/openssl`