54 lines
1.7 KiB
Bash
54 lines
1.7 KiB
Bash
#!/bin/bash
|
|
set -e
|
|
|
|
SUMMARY_FILE="/tmp/update_summary.md"
|
|
CHANGES_FOUND=0
|
|
|
|
echo "## Dependency update summary" > "$SUMMARY_FILE"
|
|
echo "" >> "$SUMMARY_FILE"
|
|
echo "Generated: $(date -u '+%Y-%m-%d %H:%M UTC')" >> "$SUMMARY_FILE"
|
|
echo "" >> "$SUMMARY_FILE"
|
|
|
|
# ── pip-audit: vulnerability scan ───────────────────────────────────────────
|
|
echo "### Vulnerability scan" >> "$SUMMARY_FILE"
|
|
echo "" >> "$SUMMARY_FILE"
|
|
|
|
set +e
|
|
poetry run pip-audit --format markdown -o /tmp/audit_output.md 2>&1
|
|
AUDIT_EXIT=$?
|
|
set -e
|
|
|
|
if [ $AUDIT_EXIT -ne 0 ]; then
|
|
echo "Vulnerabilities found:" >> "$SUMMARY_FILE"
|
|
cat /tmp/audit_output.md >> "$SUMMARY_FILE"
|
|
CHANGES_FOUND=1
|
|
else
|
|
echo "No vulnerabilities found." >> "$SUMMARY_FILE"
|
|
fi
|
|
|
|
echo "" >> "$SUMMARY_FILE"
|
|
|
|
# ── poetry update: check for outdated packages ──────────────────────────────
|
|
echo "### Outdated packages" >> "$SUMMARY_FILE"
|
|
echo "" >> "$SUMMARY_FILE"
|
|
|
|
# capture current lock file checksum before update
|
|
BEFORE=$(sha256sum poetry.lock | cut -d' ' -f1)
|
|
|
|
poetry update --without pi 2>&1
|
|
|
|
AFTER=$(sha256sum poetry.lock | cut -d' ' -f1)
|
|
|
|
if [ "$BEFORE" != "$AFTER" ]; then
|
|
echo "The following packages were updated:" >> "$SUMMARY_FILE"
|
|
echo "" >> "$SUMMARY_FILE"
|
|
# diff the lock files to summarise what changed
|
|
git diff poetry.lock | grep '^[+-].*version' | grep -v '^---\|^+++' \
|
|
| sed 's/^+/Updated: /;s/^-/Was: /' >> "$SUMMARY_FILE" || true
|
|
CHANGES_FOUND=1
|
|
else
|
|
echo "All packages are up to date." >> "$SUMMARY_FILE"
|
|
fi
|
|
|
|
# exit code signals to the pipeline whether an MR is needed
|
|
exit $CHANGES_FOUND |