yarn-upgrade.yml

name: Yarn Upgrade

on:
  schedule:
    # At 04:04 every Monday
    - cron: 4 4 * * 1
  workflow_dispatch: {}

# We special-case @types/node because we want to stay on the current major (minimum supported node release)
# We special-case @types/fs-extra because the current major (9.x) is broken with @types/node >= 10
# We special-case typescript because it's not semantically versioned
# We special-case constructs because we want to stay in control of the minimum compatible version
# We special-case lerna because we have a patch on it that stops applying if Lerna upgrades. Remove this once https://github.com/lerna/lerna/pull/2874 releases.
# We special-case graphology-types because the newer version has type definitions that are not compatible with our typescript version.
# We special-case @types/prettier because the underlying TS types aren't supported by our TS version anymore since prettier v2.6.1

jobs:
  upgradeRoot:
    name: Yarn Upgrade Root
    permissions:
      contents: read
    runs-on: ubuntu-latest
    container:
      image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
    steps:
      - name: Check Out
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get yarn cache directory path
        id: global-cache-dir-path
        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
        with:
          path: ${{ steps.global-cache-dir-path.outputs.dir }}
          key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-upgrade
          restore-keys: |
            yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
            yarn-${{ runner.os }}-
      - name: ensure correct user
        run: chown -R root /__w/terraform-cdk
      - name: Install Tools
        run: |-
          npm -g install lerna npm-check-updates@^9.0.0
      - name: List Mono-Repo Packages
        id: list-packages
        # These need to be ignored from the `ncu` runs!
        run: |-
          echo "list=$(node -p "$(lerna ls --all --json 2>/dev/null).map(item => item.name).join(',')")" >> $GITHUB_OUTPUT
      - name: Run "ncu -u"
        run: |-
          # Upgrade dependencies at repository root
          ncu --upgrade --filter=@types/node,@types/fs-extra --target=minor
          ncu --upgrade --filter=typescript --target=patch
          ncu --upgrade --reject=@types/node,@types/fs-extra,constructs,typescript,lerna,@types/prettier --target=minor

      # This will ensure the current lockfile is up-to-date with the dependency specifications (necessary for "yarn upgrade" to run)
      - name: Run "yarn install"
        run: yarn install --prefer-offline

      # Next, create and upload the changes as a patch file. This will later be downloaded to create a pull request
      # Creating a pull request requires write permissions and it's best to keep write privileges isolated.
      - name: Create Patch
        run: |-
          git add .
          git diff --patch --staged > ./upgrade.patch
      - name: Upload Patch
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: upgrade.patch
          path: ./upgrade.patch

  prRoot:
    name: Create Pull Request Root
    needs: upgradeRoot
    runs-on: ubuntu-latest
    steps:
      - name: Check Out
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Download patch
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: upgrade.patch

      - name: Apply patch
        run: '[ -s ./upgrade.patch ] && git apply ./upgrade.patch || echo "Empty patch. Skipping."'

      - name: Remove patch file
        run: rm -f ./upgrade.patch

      - name: Make Pull Request
        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          # Git commit details
          branch: automation/yarn-upgrade
          commit-message: |-
            chore: npm-check-updates && yarn upgrade
            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
          # Pull Request details
          title: "chore: npm-check-updates && yarn upgrade"
          body: |-
            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
          labels: dependencies,auto-approve,ci/run-all
          team-reviewers: cdktf
          token: ${{ secrets.TERRAFORM_CDK_PUSH_GITHUB_TOKEN }}

  upgradePackage:
    name: Yarn Upgrade Package
    permissions:
      contents: read
    runs-on: ubuntu-latest
    container:
      image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
    strategy:
      fail-fast: false
      matrix:
        pr: [
            { name: "cli", packages: ["cdktf-cli", "@cdktf/cli-core"] },
            # A dumb hack to make the resulting expansion expression work since { cdktf }
            # searches for the literal string, whereas { cdktf, cdktf } searches for either cdktf or cdktf
            { name: "lib", packages: ["cdktf", "cdktf"] },
            {
              name: "util",
              packages:
                [
                  "@cdktf/hcl2cdk",
                  "@cdktf/hcl2json",
                  "@cdktf/provider-schema",
                  "@cdktf/provider-generator",
                  "@cdktf/commons",
                ],
            },
            # Sometimes we are very lucky and all packages can be updated in one go
            # We should take the chance and spare us some rebases
            {
              name: "all",
              packages:
                [
                  "cdktf-cli",
                  "@cdktf/cli-core",
                  "cdktf",
                  "@cdktf/hcl2cdk",
                  "@cdktf/hcl2json",
                  "@cdktf/provider-schema",
                  "@cdktf/provider-generator",
                  "@cdktf/commons",
                ],
            },
          ]
    steps:
      - name: Check Out
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get yarn cache directory path
        id: global-cache-dir-path
        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
        with:
          path: ${{ steps.global-cache-dir-path.outputs.dir }}
          key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-upgrade
          restore-keys: |
            yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
            yarn-${{ runner.os }}-
      - name: ensure correct user
        run: chown -R root /__w/terraform-cdk
      - name: Install Tools
        run: |-
          npm -g install lerna npm-check-updates@^9.0.0
      - name: List Mono-Repo Packages
        id: list-packages
        # These need to be ignored from the `ncu` runs!
        run: |-
          echo "list=$(node -p "$(lerna ls --all --json 2>/dev/null).map(item => item.name).join(',')")" >> $GITHUB_OUTPUT
      - name: Run "ncu -u"
        run: |-
          # Upgrade all the packages
          lerna exec --scope='{${{ join(matrix.pr.packages, ',') }}}' ncu -- --upgrade --filter=@types/node,@types/fs-extra --target=minor
          lerna exec --scope='{${{ join(matrix.pr.packages, ',') }}}' ncu -- --upgrade --filter=typescript --target=patch
          lerna exec --scope='{${{ join(matrix.pr.packages, ',') }}}' ncu -- --upgrade --reject='@types/node,@types/fs-extra,constructs,typescript,graphology-types,jsii,jsii-pacmak,jsii-rosetta,jsii-docgen,codemaker,${{ steps.list-packages.outputs.list }}'  --target=minor
      # This will ensure the current lockfile is up-to-date with the dependency specifications (necessary for "yarn upgrade" to run)
      - name: Run "yarn install"
        run: yarn install --prefer-offline

      - name: Set git identity
        run: |-
          git config --global user.email "github-team-tf-cdk@hashicorp.com"
          git config --global user.name "team-tf-cdk"

      - name: Make Pull Request
        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          # Git commit details
          branch: automation/yarn-upgrade-${{ matrix.pr.name }}
          commit-message: |-
            chore: Upgrade dependencies for ${{matrix.pr.name}}
            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
          # Pull Request details
          title: "chore: Upgrade dependencies for ${{matrix.pr.name}}"
          body: |-
            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
            This PR touches the following packages:

            ${{ join(matrix.pr.packages, '\n -')}}

          labels: dependencies,auto-approve
          team-reviewers: cdktf
          token: ${{ secrets.TERRAFORM_CDK_PUSH_GITHUB_TOKEN }}
          author: team-tf-cdk <github-team-tf-cdk@hashicorp.com>

  upgradeJSII:
    name: Yarn Upgrade JSII
    permissions:
      contents: read
    runs-on: ubuntu-latest
    container:
      image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
    steps:
      - name: Check Out
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get yarn cache directory path
        id: global-cache-dir-path
        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
        with:
          path: ${{ steps.global-cache-dir-path.outputs.dir }}
          key: yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-upgrade
          restore-keys: |
            yarn-${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}-
            yarn-${{ runner.os }}-
      - name: ensure correct user
        run: chown -R root /__w/terraform-cdk
      - name: Install Tools
        run: |-
          npm -g install lerna npm-check-updates@^9.0.0
      - name: List Mono-Repo Packages
        id: list-packages
        # These need to be ignored from the `ncu` runs!
        run: |-
          echo "list=$(node -p "$(lerna ls --all --json 2>/dev/null).map(item => item.name).join(',')")" >> $GITHUB_OUTPUT
      - name: Run "ncu -u"
        run: |-
          # Upgrade all the packages
          lerna exec ncu -- --upgrade --filter='jsii,jsii-pacmak,jsii-rosetta,jsii-docgen,codemaker,constructs' --target=minor
      # This will ensure the current lockfile is up-to-date with the dependency specifications (necessary for "yarn upgrade" to run)
      - name: Run "yarn install"
        run: yarn install --prefer-offline

      - name: Set git identity
        run: |-
          git config --global user.email "github-team-tf-cdk@hashicorp.com"
          git config --global user.name "team-tf-cdk"

      - name: Make Pull Request
        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          # Git commit details
          branch: automation/yarn-upgrade-jsii
          commit-message: |-
            chore: Upgrade dependencies for JSII
            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
          # Pull Request details
          title: "chore: Upgrade dependencies for JSII"
          body: |-
            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
            This PR updates JSII across all packages.

          labels: dependencies,auto-approve
          team-reviewers: cdktf
          token: ${{ secrets.TERRAFORM_CDK_PUSH_GITHUB_TOKEN }}
          author: team-tf-cdk <github-team-tf-cdk@hashicorp.com>