From 15a0b07b2c5b16e38eedf0d25d507ff15d0cc583 Mon Sep 17 00:00:00 2001 From: Weimin Yu Date: Mon, 18 May 2026 12:09:29 -0400 Subject: [PATCH 1/2] Add a reminder to run update_dependency After the public-access removal from GCS buckets, the Kokoro tests can no longer use our private repo for resolve dependencies. And breakage is discovered only during build. This PR lets Github to create review comment, which triggers on PRs that contain *.lockfile changes and asks the PR author to confirm that the update_dependency script has been executed. --- .../workflows/update-dependency-reminder.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/update-dependency-reminder.yml diff --git a/.github/workflows/update-dependency-reminder.yml b/.github/workflows/update-dependency-reminder.yml new file mode 100644 index 00000000000..55f6623f069 --- /dev/null +++ b/.github/workflows/update-dependency-reminder.yml @@ -0,0 +1,37 @@ +name: "Remind to run update_dependency.sh" + +on: + pull_request: + branches: ["master"] + types: [opened, synchronize, reopened] + +jobs: + review-lockfiles: + runs-on: ubuntu-latest + permissions: + pull-requests: write + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Check for changed lockfiles + id: changed-files + uses: tj-actions/changed-files@v45 + with: + files: | + **/*.lockfile + + - name: Post unresolved review comment + if: steps.changed-files.outputs.any_changed == 'true' + uses: actions/github-script@v7 + with: + script: | + github.rest.pulls.createReview({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.payload.pull_request.number, + event: 'COMMENT', + body: `### ⚠️ Attention Required: Lockfile Detected\nThis pull request contains modifications to one or more \`*.lockfile\` files. Please confirm that you have run update_dependency.sh to push new dependencies to the private repo.\n\n_The PR author must manually mark this conversation as resolved before merging._` + }) From f2912a9e10f1f63ac33f0f6766a04abe6aaeadd1 Mon Sep 17 00:00:00 2001 From: Weimin Yu Date: Mon, 18 May 2026 12:14:58 -0400 Subject: [PATCH 2/2] Mock change --- .github/workflows/lockfile-comment.yml | 46 +++++++++++++++++++ .github/workflows/lockfile-scan.yml | 33 +++++++++++++ .../workflows/update-dependency-reminder.yml | 37 --------------- .../update-dependency-reminder.ymlname: | 0 gradle.lockfile | 1 + 5 files changed, 80 insertions(+), 37 deletions(-) create mode 100644 .github/workflows/lockfile-comment.yml create mode 100644 .github/workflows/lockfile-scan.yml delete mode 100644 .github/workflows/update-dependency-reminder.yml create mode 100644 .github/workflows/update-dependency-reminder.ymlname: diff --git a/.github/workflows/lockfile-comment.yml b/.github/workflows/lockfile-comment.yml new file mode 100644 index 00000000000..293ff6e74d7 --- /dev/null +++ b/.github/workflows/lockfile-comment.yml @@ -0,0 +1,46 @@ +# If dependencies change, add a comment to remind the author. +name: Request Lockfile Review + +on: + workflow_run: + workflows: ["Lockfile Scan"] + types: + - completed + +jobs: + comment: + # Ensure the scanning workflow actually succeeded before doing anything + if: github.event.workflow_run.conclusion == 'success' + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: lockfile-scan-results + path: ./results + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ github.event.workflow_run.id }} + + - name: Post unresolved review comment + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + + const anyChanged = fs.readFileSync('./results/any_changed.txt', 'utf8').trim(); + if (anyChanged !== 'true') { + console.log('No lockfiles were changed. Skipping comment.'); + return; + } + + const prNumber = fs.readFileSync('./results/pr_number.txt', 'utf8').trim(); + + await github.rest.pulls.createReview({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: parseInt(prNumber, 10), + event: 'COMMENT', + body: `### ⚠️ Attention Required: Lockfile Detected\nThis pull request contains modifications to one or more \`*.lockfile\` files. Please confirm that you have run update_dependency.sh to push new dependencies to the private repo.\n\n_The PR author must manually mark this conversation as resolved before merging._` + }); diff --git a/.github/workflows/lockfile-scan.yml b/.github/workflows/lockfile-scan.yml new file mode 100644 index 00000000000..67686b85e54 --- /dev/null +++ b/.github/workflows/lockfile-scan.yml @@ -0,0 +1,33 @@ +# Scan for Gradle dependency changes in PR +name: Lockfile Scan + +on: + pull_request: + branches: ["master"] + types: [opened, synchronize, reopened] + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Check for changed lockfiles + id: changed-files + uses: tj-actions/changed-files@v45 + with: + files: | + **/*.lockfile + + - name: Save scan results + run: | + mkdir -p ./results + echo "${{ steps.changed-files.outputs.any_changed }}" > ./results/any_changed.txt + echo "${{ github.event.pull_request.number }}" > ./results/pr_number.txt + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: lockfile-scan-results + path: ./results/ diff --git a/.github/workflows/update-dependency-reminder.yml b/.github/workflows/update-dependency-reminder.yml deleted file mode 100644 index 55f6623f069..00000000000 --- a/.github/workflows/update-dependency-reminder.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: "Remind to run update_dependency.sh" - -on: - pull_request: - branches: ["master"] - types: [opened, synchronize, reopened] - -jobs: - review-lockfiles: - runs-on: ubuntu-latest - permissions: - pull-requests: write - contents: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Check for changed lockfiles - id: changed-files - uses: tj-actions/changed-files@v45 - with: - files: | - **/*.lockfile - - - name: Post unresolved review comment - if: steps.changed-files.outputs.any_changed == 'true' - uses: actions/github-script@v7 - with: - script: | - github.rest.pulls.createReview({ - owner: context.repo.owner, - repo: context.repo.repo, - pull_number: context.payload.pull_request.number, - event: 'COMMENT', - body: `### ⚠️ Attention Required: Lockfile Detected\nThis pull request contains modifications to one or more \`*.lockfile\` files. Please confirm that you have run update_dependency.sh to push new dependencies to the private repo.\n\n_The PR author must manually mark this conversation as resolved before merging._` - }) diff --git a/.github/workflows/update-dependency-reminder.ymlname: b/.github/workflows/update-dependency-reminder.ymlname: new file mode 100644 index 00000000000..e69de29bb2d diff --git a/gradle.lockfile b/gradle.lockfile index a16fde029c1..6ba4e239592 100644 --- a/gradle.lockfile +++ b/gradle.lockfile @@ -1,6 +1,7 @@ # This is a Gradle generated file for dependency locking. # Manual edits can break the build and are not advised. # This file is expected to be part of source control. +# com.google.code.findbugs:jsr305:3.0.2=checkstyle com.google.errorprone:error_prone_annotations:2.36.0=checkstyle com.google.guava:failureaccess:1.0.3=checkstyle