Skip to content

Add updater workflow #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Hazmi35 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add updater workflow #41

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 93 additions & 0 deletions .github/workflows/update-cloudflared-version.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
name: update-cloudflared-version

on:
schedule:
- cron: '17 */6 * * *'
workflow_dispatch:

permissions:
contents: write
pull-requests: write

jobs:
update-version:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Resolve latest cloudflared release tag
id: release
uses: actions/github-script@v7
with:
script: |
const release = await github.rest.repos.getLatestRelease({
owner: 'cloudflare',
repo: 'cloudflared'
});

if (!release?.data?.tag_name) {
core.setFailed('Failed to resolve cloudflared release tag');
return;
}

core.setOutput('latest_tag', release.data.tag_name);

Comment on lines +24 to +35
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The github.rest.repos.getLatestRelease() API call can throw an exception (e.g., an HTTP 404 if there are no releases, or a network error), which would cause the step to fail with an unhandled error rather than a clean core.setFailed message. The if (!release?.data?.tag_name) guard only handles cases where the call succeeds but returns unexpected data — it doesn't catch errors thrown during the API call. Wrapping the call in a try/catch block and calling core.setFailed(error.message) in the catch handler would make error handling more robust and the failure message more informative.

Suggested change
const release = await github.rest.repos.getLatestRelease({
owner: 'cloudflare',
repo: 'cloudflared'
});
if (!release?.data?.tag_name) {
core.setFailed('Failed to resolve cloudflared release tag');
return;
}
core.setOutput('latest_tag', release.data.tag_name);
try {
const release = await github.rest.repos.getLatestRelease({
owner: 'cloudflare',
repo: 'cloudflared'
});
if (!release?.data?.tag_name) {
core.setFailed('Failed to resolve cloudflared release tag');
return;
}
core.setOutput('latest_tag', release.data.tag_name);
} catch (error) {
core.setFailed(error && error.message ? error.message : String(error));
}

Copilot uses AI. Check for mistakes.
- name: Update CLOUDFLARED_VERSION in docker-bake.hcl
id: update
env:
LATEST_TAG: ${{ steps.release.outputs.latest_tag }}
run: |
set -euo pipefail
current_version="$(awk '
BEGIN { in_block = 0 }
/^variable "CLOUDFLARED_VERSION" \{/ { in_block = 1; next }
in_block && /^[[:space:]]*default = "/ {
gsub(/^[[:space:]]*default = "/, "")
gsub(/"$/, "")
print
exit
}
' docker-bake.hcl)"

if [ -z "$current_version" ]; then
echo "Unable to parse current CLOUDFLARED_VERSION from docker-bake.hcl"
exit 1
fi

if [ "$current_version" = "$LATEST_TAG" ]; then
echo "No update needed. Already at $current_version"
echo "changed=false" >> "$GITHUB_OUTPUT"
exit 0
fi

awk -v latest="$LATEST_TAG" '
BEGIN { in_block = 0 }
/^variable "CLOUDFLARED_VERSION" \{/ { in_block = 1 }
in_block && /^[[:space:]]*default = "/ {
sub(/"[^"]+"/, "\"" latest "\"")
in_block = 0
}
{ print }
' docker-bake.hcl > docker-bake.hcl.tmp

mv docker-bake.hcl.tmp docker-bake.hcl

echo "changed=true" >> "$GITHUB_OUTPUT"
echo "current_version=$current_version" >> "$GITHUB_OUTPUT"
echo "new_version=$LATEST_TAG" >> "$GITHUB_OUTPUT"
Comment on lines +76 to +78
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Writing externally controlled values directly into $GITHUB_OUTPUT using echo "key=$value" is a known GitHub Actions security concern. If $LATEST_TAG or $current_version contains a newline character (e.g., a maliciously crafted release tag), it could inject additional key=value pairs into $GITHUB_OUTPUT, potentially influencing downstream steps. The recommended mitigation is to use a multi-line delimiter approach with a random delimiter (the EOF pattern using $GITHUB_OUTPUT with heredoc syntax), for example:

echo "new_version<<EOF
$LATEST_TAG
EOF" >> "$GITHUB_OUTPUT"

But more practically, since these values should be single-line version strings, adding an explicit newline/whitespace check before writing would be a sufficient guard.

Copilot uses AI. Check for mistakes.

- name: Create pull request
if: steps.update.outputs.changed == 'true'
uses: peter-evans/create-pull-request@v6
with:
branch: chore/update-cloudflared-${{ steps.update.outputs.new_version }}
commit-message: "chore: update cloudflared to ${{ steps.update.outputs.new_version }}"
title: "chore: update cloudflared to ${{ steps.update.outputs.new_version }}"
body: |
Automated update of `CLOUDFLARED_VERSION` in `docker-bake.hcl`.

- Previous version: `${{ steps.update.outputs.current_version }}`
- New version: `${{ steps.update.outputs.new_version }}`

Source: `cloudflare/cloudflared` latest GitHub release tag.
Comment on lines +80 to +93
Copy link

Copilot AI Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When using the default GITHUB_TOKEN, pull requests created by peter-evans/create-pull-request will not trigger other GitHub Actions workflows (like docker-build.yml). This is a deliberate GitHub security restriction to prevent recursive workflow runs. Since the docker-build.yml workflow runs on every PR, the automated PR created by this workflow won't have CI checks run against it unless a person with write access closes and reopens the PR, or pushes a new commit to the branch. To make CI trigger automatically, a Personal Access Token (PAT) or a GitHub App token should be passed via the token parameter of this action.

Copilot uses AI. Check for mistakes.
Copy link
Owner

@Erisa Erisa Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can bypass this by setting docker-build to also be triggerable by workflow dispatch and running gh workflow run on the branch after the PR is made

https://github.com/Erisa/Cliptok/blob/68f6651f3423b4f00b4e460b2794157ffe4530ff/.github/workflows/append-lists-txt.yml#L53

Loading