-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Expand file tree
/
Copy pathupgrade-python-patch-version.yml
More file actions
92 lines (80 loc) · 3.93 KB
/
upgrade-python-patch-version.yml
File metadata and controls
92 lines (80 loc) · 3.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: Upgrade Python patch version
on:
workflow_dispatch:
schedule:
# At 4AM on Tuesday (UTC) - runs after dependency updates on Monday
- cron: "0 4 * * 2"
permissions: {}
jobs:
upgrade_python_version:
name: Upgrade Python patch version
runs-on: ubuntu-latest
permissions:
id-token: write # This is required for getting the required OIDC token from GitHub
environment:
name: main
steps:
- uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
id: octo-sts
with:
scope: DataDog/datadog-agent
policy: self.upgrade-python-version.create-pr
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# credentials are needed to create the PR at the end of the workflow
persist-credentials: true
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.14'
- name: Install dda
uses: ./.github/actions/install-dda
with:
features: legacy-tasks
- name: Update Python version
id: update
run: |
# Get current version before update
CURRENT_VERSION=$(dda inv python-version.get)
echo "current_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
# Run update task (exits cleanly if already up-to-date)
dda inv python-version.update
# Check if files were modified
if git diff --quiet; then
echo "updated=false" >> $GITHUB_OUTPUT
echo "No Python update available"
else
NEW_VERSION=$(dda inv python-version.get)
NEW_VERSION_NO_DOTS=$(echo "$NEW_VERSION" | tr -d '.')
echo "updated=true" >> $GITHUB_OUTPUT
echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
echo "new_version_no_dots=$NEW_VERSION_NO_DOTS" >> $GITHUB_OUTPUT
echo "Updated from $CURRENT_VERSION to $NEW_VERSION"
fi
- name: Create pull request
if: steps.update.outputs.updated == 'true'
uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
with:
token: ${{ steps.octo-sts.outputs.token }}
sign-commits: true
commit-message: "chore(deps): upgrade embedded Python patch version to ${{ steps.update.outputs.new_version }}"
branch: bot/upgrade-python-patch-version-${{ steps.update.outputs.new_version }}
title: "[automated] Upgrade embedded Python patch version to ${{ steps.update.outputs.new_version }}"
body: |
### What does this PR do?
Upgrades the Agent's embedded Python interpreter from **${{ steps.update.outputs.current_version }}** to **${{ steps.update.outputs.new_version }}** (patch version update).
### Changes
- Updated `omnibus/config/software/python3.rb` with new version and SHA256
- Updated `deps/cpython/cpython.MODULE.bazel` with new version and SHA256
- Updated `test/new-e2e/tests/agent-platform/common/agent_behaviour.go` with expected version
- Created release note documenting the upgrade
### Motivation
Keep embedded Python up-to-date with bug fixes and security patches.
### Verification
SHA256 hash automatically fetched and verified against the official Python.org SBOM file.
See the [official Python release page](https://www.python.org/downloads/release/python-${{ steps.update.outputs.new_version_no_dots }}/) for details.
### Describe how you validated your changes
CI is considered enough to validate changes.
team-reviewers: agent-integrations
labels: team/agent-integrations,changelog/no-changelog,ask-review