Introduce a script for doing GHA pin bumps #13251

alex · 2025-08-06T00:26:38Z

No description provided.

Copilot

Pull Request Overview

This PR introduces a Python script to automate dependency version bumps in GitHub Actions workflows, replacing repetitive shell script logic with a centralized solution. The script handles checking for updates from remote repositories and updating configuration files with new versions.

Replaces complex bash logic for checking and updating dependency versions with a Python script
Consolidates version bump logic for multiple dependencies (x509-limbo, wycheproof, BoringSSL, OpenSSL, AWS-LC)
Updates workflow conditions to use standardized output variables from the new script

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/x509-limbo-version-bump.yml	Replaces manual SHA checking and sed commands with calls to the new bump_dependency.py script for x509-limbo and wycheproof
.github/workflows/ci.yml	Shows example updates to AWS-LC and OpenSSL versions that would be handled by the new automation
.github/workflows/boring-open-awslc-bump.yml	Replaces complex version checking logic for BoringSSL, OpenSSL, and AWS-LC with standardized script calls

Copilot · 2025-08-06T00:27:05Z

.github/workflows/x509-limbo-version-bump.yml

      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
        id: generate-token
        with:
          app_id: ${{ secrets.BORINGBOT_APP_ID }}
          private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }}
-        if: steps.check-sha-x509-limbo.outputs.COMMIT_SHA || steps.check-sha-wycheproof.outputs.COMMIT_SHA
+        if: steps.bump-x509-limbo.outputs.HAS_UPDATES == 'true' || steps.bump-wycheproof.outputs.HAS_UPDATES == 'true'


The condition should be consistent with line 59. Either both should check for 'true' string or both should use boolean evaluation without explicit string comparison.

Copilot · 2025-08-06T00:27:05Z

.github/workflows/boring-open-awslc-bump.yml

      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
        id: generate-token
        with:
          app_id: ${{ secrets.BORINGBOT_APP_ID }}
          private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }}
-        if: steps.check-sha-boring.outputs.COMMIT_SHA || steps.check-sha-openssl.outputs.COMMIT_SHA || steps.check-tag-aws-lc.outputs.NEW_TAG
+        if: steps.bump-boringssl.outputs.HAS_UPDATES == 'true' || steps.bump-openssl.outputs.HAS_UPDATES == 'true' || steps.bump-awslc.outputs.HAS_UPDATES == 'true'


The condition should be consistent with line 74. Either both should check for 'true' string or both should use boolean evaluation without explicit string comparison.

alex requested a review from Copilot August 6, 2025 00:26

Copilot AI reviewed Aug 6, 2025

View reviewed changes

Introduce a script for doing GHA pin bumps

13d1e06

alex force-pushed the bump-refactoring branch from 8e5ff14 to 13d1e06 Compare August 6, 2025 00:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Introduce a script for doing GHA pin bumps #13251

Introduce a script for doing GHA pin bumps #13251

Uh oh!

alex commented Aug 6, 2025

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Aug 6, 2025

Uh oh!

Copilot AI Aug 6, 2025

Uh oh!

Uh oh!

Introduce a script for doing GHA pin bumps #13251

Are you sure you want to change the base?

Introduce a script for doing GHA pin bumps #13251

Uh oh!

Conversation

alex commented Aug 6, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Copilot AI Aug 6, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Aug 6, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!