ci: use submodules, add dependabot, automatically update (#49)

* wip

* wip

* remove clone

* ci: update

Files changed:
M	src/pomerium/pb/routes_pb2.py
M	src/pomerium/pb/routes_pb2.pyi
M	src/pomerium/pb/settings_pb2.py
M	src/pomerium/pb/settings_pb2.pyi

* wip

* multiple python versions

* more python versions

* use dependencies

* checkout

* remove test

* set python version, only for dependabot

* always run test

* always run update

* only commit if dependabot

* update makefile

* add CODEOWNERS

* rename generate

* wip

* install

* add dependabot job

* update

* always install

---------

Co-authored-by: calebdoxsey <calebdoxsey@users.noreply.github.com>

Author: calebdoxsey

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @pomerium/dev-backend

.github/dependabot.yaml

@@ -1,5 +1,15 @@
 version: 2
 updates:
+  - package-ecosystem: "gitsubmodule"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    groups:
+      gitsubmodule:
+        patterns:
+          - "*"
+        exclude-patterns:
+          - "deps/github.com/pomerium/*"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

.github/workflows/build.yaml

@@ -0,0 +1,16 @@
+name: Build
+
+on:
+  pull_request:
+    branches-ignore:
+      - "dependabot/**"
+  push:
+    branches:
+      - "main"
+
+jobs:
+  build:
+    name: Build
+    uses: ./.github/workflows/reusable-build.yaml
+    with:
+      ref: ${{ github.head_ref }}

.github/workflows/dependabot.yaml

@@ -0,0 +1,34 @@
+name: Dependabot
+
+on:
+  pull_request:
+    branches:
+      - "dependabot/**"
+
+jobs:
+  generate:
+    name: Generate
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          ref: ${{ github.head_ref }}
+          submodules: "true"
+          token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}
+
+      - name: Generate
+        run: make generate
+
+      - name: Commit
+        uses: devops-infra/action-commit-push@e6a24fad602d1f92e46432c89a7e0c7fdd45d62d
+        with:
+          github_token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}
+          commit_message: "dependabot: generate"
+
+  build:
+    name: Build
+    needs: generate
+    uses: ./.github/workflows/reusable-build.yaml
+    with:
+      ref: ${{ github.head_ref }}

.github/workflows/reusable-build.yaml

@@ -0,0 +1,28 @@
+name: Build
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Setup Python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Test
+        run: make test

.github/workflows/test.yaml

@@ -0,0 +1,42 @@
+name: Update Pomerium
+
+on:
+  schedule:
+    - cron: "40 1 * * *"
+  workflow_dispatch:
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        with:
+          submodules: "true"
+          token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}
+
+      - name: Update Pomerium
+        run: make update-pomerium
+
+      - name: Generate
+        run: make generate
+
+      - name: Check for changes
+        id: git-diff
+        run: |
+          git config --global user.email "apparitor@users.noreply.github.com"
+          git config --global user.name "GitHub Actions"
+          git add deps/github.com/pomerium
+          git diff --cached --exit-code || echo "changed=true" >> $GITHUB_OUTPUT
+
+      - name: Create Pull Request
+        if: ${{ steps.git-diff.outputs.changed }} == 'true'
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
+        with:
+          author: GitHub Actions <apparitor@users.noreply.github.com>
+          body: "This PR updates Pomerium Dependencies"
+          commit-message: "ci: update pomerium dependencies"
+          delete-branch: true
+          labels: ci
+          title: "ci: update pomerium dependencies"
+          token: ${{ secrets.APPARITOR_GITHUB_TOKEN }}

.github/workflows/update-pomerium.yaml

@@ -146,5 +146,3 @@ cython_debug/
 # End of https://www.toptal.com/developers/gitignore/api/python
 
 # Custom rules (everything added below won't be overriden by 'Generate .gitignore File' if you use 'Update' option)
-
-deps/

.gitignore

@@ -0,0 +1,12 @@
+[submodule "deps/github.com/pomerium/enterprise-client"]
+	path = deps/github.com/pomerium/enterprise-client
+	url = git@github.com:pomerium/enterprise-client
+[submodule "deps/github.com/envoyproxy/protoc-gen-validate"]
+	path = deps/github.com/envoyproxy/protoc-gen-validate
+	url = git@github.com:envoyproxy/protoc-gen-validate
+[submodule "deps/github.com/census-instrumentation/opencensus-proto"]
+	path = deps/github.com/census-instrumentation/opencensus-proto
+	url = git@github.com:census-instrumentation/opencensus-proto
+[submodule "deps/github.com/open-telemetry/opentelemetry-proto"]
+	path = deps/github.com/open-telemetry/opentelemetry-proto
+	url = git@github.com:open-telemetry/opentelemetry-proto

.gitmodules

@@ -1,19 +1,29 @@
 PYTHON:=python3
 
 .PHONY: all
-all: test pkg
+all: generate test pkg
 
 .PHONY: pkg
-pkg:
+pkg: install
 	@echo "==> $@"
+	$(PYTHON) -m pip install build
 	$(PYTHON) -m build .
 
-.PHONY: update
-update:
+.PHONY: generate
+generate: install
 	@echo "==> $@"
-	@scripts/update
+	@scripts/generate
+
+.PHONY: install
+install:
+	$(PYTHON) -m pip install .
 
 .PHONY: test
-test:
+test: install
 	@echo "==> $@"
 	PYTHONPATH=src/ $(PYTHON) -m unittest discover -s src -v
+
+.PHONY: update-pomerium
+update-pomerium:
+	@echo "==> $@"
+	git submodule update --remote deps/github.com/pomerium