From 6b9b66d6f90dfbf3e390320ba7ce48abfda4b709 Mon Sep 17 00:00:00 2001
From: "Michael B. Gale" <mbg@github.com>
Date: Mon, 23 Jun 2025 12:31:06 +0100
Subject: [PATCH] Add workflow for updating release used by `start-proxy`

---
 .github/workflows/update-proxy-release.yml | 72 ++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 .github/workflows/update-proxy-release.yml

diff --git a/.github/workflows/update-proxy-release.yml b/.github/workflows/update-proxy-release.yml
new file mode 100644
index 000000000..b62074228
--- /dev/null
+++ b/.github/workflows/update-proxy-release.yml
@@ -0,0 +1,72 @@
+name: Update dependency proxy release assets
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The tag of CodeQL Bundle release that contains the proxy binaries as release assets"
+        type: string
+        required: true
+
+jobs:
+  update:
+    name: Update code and create PR
+    timeout-minutes: 15
+    runs-on: macos-latest
+    permissions:
+      contents: write # needed to push the updated files
+      pull-requests: write # needed to create the PR
+    steps:
+      - name: Install Node
+        uses: actions/setup-node@v4
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # ensure we have all tags and can push commits
+
+      - name: Update git config
+        shell: bash
+        run: |
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --global user.name "github-actions[bot]"
+
+      - name: Update release tag and version
+        shell: bash
+        run: |
+          NOW=$(date +"%Y%m%d%H%M%S") # only used to make sure we don't fetch stale binaries from the toolcache
+          sed -i '' 's|https://github.com/github/codeql-action/releases/download/codeql-bundle-[0-9.]*/|https://github.com/github/codeql-action/releases/download/${{ inputs.tag }}/|g' ./src/start-proxy-action.ts
+          sed -i '' "s/\"v2.0.[0-9]*\"/\"v2.0.$NOW\"/g" ./src/start-proxy-action.ts
+
+      - name: Push changes and open PR
+        shell: bash
+        env:
+          BRANCH: "dependency-proxy/${{ inputs.tag }}"
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        run: |
+          set -exu
+          pr_title="Update release used by `start-proxy` to ${{ inputs.tag }}"
+          pr_body=$(cat << EOF
+            This PR updates the `start-proxy` action to use the private registry proxy binaries that
+            are attached as release assets to the `${{ inputs.tag }}` release.
+
+
+            Please do the following before merging:
+
+              - [ ] Verify that the changes to the code are correct.
+          EOF
+          )
+
+          git checkout -b "$BRANCH"
+
+          npm run build
+          git add ./src/start-proxy-action.ts
+          git add ./lib
+          git commit -m "$pr_title"
+
+          git push origin "$BRANCH"
+          gh pr create \
+            --head "$BRANCH" \
+            --base "main" \
+            --title "${pr_title}" \
+            --body "${pr_body}" \
+            --draft