Skip to content

feat(tools): add automated tool updater#12359

Open
DariuszPorowski wants to merge 5 commits into
mainfrom
fp/whole-takin-lime
Open

feat(tools): add automated tool updater#12359
DariuszPorowski wants to merge 5 commits into
mainfrom
fp/whole-takin-lime

Conversation

@DariuszPorowski

Copy link
Copy Markdown
Member

Description

This pull request adds an automated updater for Radius's external CLI tool versions and SHA-256 checksums.

The change:

  • Adds build/tools.yaml as the canonical tool manifest and commits the generated build/tools.generated.mk Make include.
  • Adds the tool-updater Go command with manifest validation, release-source checks, checksum refreshes, and Terraform version synchronization.
  • Adds the scheduled .github/workflows/update-tools.yaml workflow, which opens or updates a PR using the Dependabot-manager GitHub App credentials.
  • Preserves existing make install-<tool> targets and uses a stable bin/tool-updater path to avoid Windows temporary-executable elevation blocks.
  • Documents the manifest schema and supported values in internal/tooling/README.md.

Type of change

  • This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

Fixes: #issue_number

Contributor checklist

  • An overview of proposed schema changes is included in a linked GitHub issue.
    • Yes
    • Not applicable
  • A design document is added or updated under eng/design-notes/ in this repository, if new APIs are being introduced.
    • Yes
    • Not applicable
  • The design document has been reviewed and approved by Radius maintainers/approvers.
    • Yes
    • Not applicable
  • A PR for resource-types-contrib is created, if resource types or recipes are affected by the changes in this PR.
    • Yes
    • Not applicable
  • A PR for dashboard is created, if the Radius Dashboard is affected by the changes in this PR.
    • Yes
    • Not applicable
  • A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
    • Yes
    • Not applicable

Validation

  • go test ./internal/tooling ./cmd/tool-updater
  • go vet ./internal/tooling ./cmd/tool-updater
  • GitHub Actions actionlint
  • Markdown lint and table formatting

Copilot AI review requested due to automatic review settings July 9, 2026 20:06
@DariuszPorowski
DariuszPorowski requested review from a team as code owners July 9, 2026 20:06
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 🟢 7
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained🟢 1020 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies⚠️ 3dependency not pinned by hash detected -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 10SAST tool is run on all commits
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
actions/actions/create-github-app-token bcd2ba49218906704ab6c1aa796996da409d3eb1 🟢 6.1
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1013 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review⚠️ 2Found 3/14 approved changesets -- score normalized to 2
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 6SAST tool is not run on all commits -- score normalized to 6
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
actions/actions/setup-go 924ae3a1cded613372ab5595356fb5720e22ba16 🟢 5.2
Details
CheckScoreReason
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
actions/raven-actions/bot-details ee8966a9ff6e7e42cbfc4a56b4ddb60a9d1b40a6 🟢 4.2
Details
CheckScoreReason
Maintained⚠️ 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2
Code-Review⚠️ 1Found 1/7 approved changesets -- score normalized to 1
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • .github/workflows/update-tools.yaml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a repository-wide mechanism to centrally pin, validate, and automatically refresh external CLI tool versions and SHA-256 checksums via a YAML manifest and a new Go-based updater, then wires it into Make and GitHub Actions.

Changes:

  • Adds build/tools.yaml as the canonical tool manifest and commits the generated build/tools.generated.mk include consumed by existing make install-<tool> targets.
  • Introduces cmd/tool-updater plus internal/tooling helpers to validate the manifest, check release sources, and refresh checksums/versions (including syncing Terraform consumer files).
  • Adds a scheduled update-tools GitHub Actions workflow to run make update-tools and open/update a PR using a GitHub App token.

Reviewed changes

Copilot reviewed 40 out of 40 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
pkg/recipes/terraform/version.go Updates comments to reflect tools manifest as the source of truth for Terraform pinning.
pkg/recipes/terraform/version_test.go Updates test comments to match the new compatibility-file/updater flow.
Makefile Reorders includes so tool metadata is available before build logic consumes it.
internal/tooling/updater.go Implements version/checksum refresh logic and HTTP retrieval with retry/backoff.
internal/tooling/updater_test.go Adds tests for version bumping, checksum refresh, and shared checksum-file caching.
internal/tooling/README.md Documents updater usage and the tools manifest schema/behavior.
internal/tooling/manifest.go Adds manifest schema, validation, template expansion, and file sync utilities.
internal/tooling/manifest_test.go Adds repository-manifest parsing and helper-function tests.
docs/contributing/contributing-code/contributing-code-shell-and-make/README.md Documents how contributors should manage external CLI pins via make update-tools.
cmd/tool-updater/main.go Adds CLI entrypoint for manifest update and Make include regeneration.
build/tools.yaml Adds the canonical tool manifest with sources, templates, assets, and checksums.
build/tools.mk Switches to consuming generated metadata and adds make update-tools + generator rules.
build/tools.generated.mk Adds committed generated Make metadata for tool versions and platform checksums.
build/scripts/install-yq.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-terraform.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-stern.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-shellcheck.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-oras.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-kubectl.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-kind.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-k3d.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-jq.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-helm.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-golangci-lint.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-dlv.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-dapr.sh Updates comments to reflect tool data source as the manifest/generated include.
build/scripts/install-bicep.sh Updates comments to reflect tool data source as the manifest/generated include.
build/generate.mk Removes unused CONTROLLER_TOOLS_VERSION variable.
build/build.mk Updates Terraform version wiring comments to reflect tool-metadata include loading.
.github/workflows/validate-installers.yaml Updates workflow comments to point at build/tools.yaml as pin source.
.github/workflows/validate-bicep.yaml Updates workflow comments to point at build/tools.yaml as pin source.
.github/workflows/update-tools.yaml Adds scheduled/manual workflow to run updater and open/update a PR via GitHub App token.
.github/workflows/unit-tests.yaml Updates workflow comments to point at build/tools.yaml as pin source.
.github/workflows/lint.yaml Updates workflow comments to point at build/tools.yaml as pin source.
.github/workflows/functional-test-noncloud.yaml Updates workflow comments to point at build/tools.yaml as pin source.
.github/workflows/functional-test-cloud.yaml Updates workflow comments to point at build/tools.yaml as pin source.
.github/workflows/copilot-setup-steps.yml Expands path triggers and updates comments to reference the manifest-based pins.
.github/workflows/build.yaml Updates workflow comments to point at build/tools.yaml as pin source.
.github/actions/create-kind-cluster/action.yaml Updates composite action comment to reference manifest-based pinning.
.devcontainer/post-create.sh Updates devcontainer post-create comments to reference manifest-based pinning.

Comment thread internal/tooling/README.md Outdated
Comment thread internal/tooling/manifest_test.go Outdated
Comment thread internal/tooling/manifest.go
Comment thread internal/tooling/manifest.go
@DariuszPorowski
DariuszPorowski force-pushed the fp/whole-takin-lime branch 3 times, most recently from 51f876b to 7d6e18b Compare July 9, 2026 20:36
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Unit Tests

    2 files  ±0    453 suites  ±0   7m 20s ⏱️ + 1m 21s
5 812 tests ±0  5 810 ✅ ±0  2 💤 ±0  0 ❌ ±0 
7 015 runs  ±0  7 013 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit 0ab6a6d. ± Comparison against base commit 5cdab24.

♻️ This comment has been updated with latest results.

@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.32%. Comparing base (5cdab24) to head (0ab6a6d).

Additional details and impacted files
@@           Coverage Diff           @@
##             main   #12359   +/-   ##
=======================================
  Coverage   53.32%   53.32%           
=======================================
  Files         756      756           
  Lines       49030    49030           
=======================================
  Hits        26146    26146           
  Misses      20454    20454           
  Partials     2430     2430           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@DariuszPorowski
DariuszPorowski force-pushed the fp/whole-takin-lime branch 3 times, most recently from fe5d5af to 3896335 Compare July 9, 2026 23:05
@DariuszPorowski
DariuszPorowski enabled auto-merge July 9, 2026 23:17
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Functional Tests - corerp-noncloud

180 tests   178 ✅  1h 21m 42s ⏱️
  3 suites    2 💤
  1 files      0 ❌

Results for commit 0ab6a6d.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Functional Tests - upgrade-noncloud

3 tests   3 ✅  3m 35s ⏱️
1 suites  0 💤
1 files    0 ❌

Results for commit 0ab6a6d.

♻️ This comment has been updated with latest results.

@DariuszPorowski DariuszPorowski linked an issue Jul 10, 2026 that may be closed by this pull request
1 task
@willdavsmith
willdavsmith self-requested a review July 13, 2026 18:20
- Implemented a new updater for managing tool versions and checksums in the manifest.
- Added functionality to retrieve the latest version and checksum from various sources.
- Created tests to ensure the updater correctly refreshes versions and checksums.
- Introduced a new HTTP client for making requests to version sources.
- Updated the Terraform version handling to synchronize with the manifest.
- Added tests to verify the correctness of version and checksum updates.
- Ensured that comments and documentation reflect the new functionality and structure.

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>
Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>
Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 40 out of 40 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/update-tools.yaml Outdated
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown

Functional Tests - ucp-cloud

4 tests   4 ✅  33s ⏱️
1 suites  0 💤
1 files    0 ❌

Results for commit 90597c2.

♻️ This comment has been updated with latest results.

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown

Functional Tests - corerp-cloud

30 tests   29 ✅  20m 31s ⏱️
 2 suites   1 💤
 1 files     0 ❌

Results for commit 90597c2.

♻️ This comment has been updated with latest results.

…retrieval

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>
@radius-functional-tests

radius-functional-tests Bot commented Jul 14, 2026

Copy link
Copy Markdown

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details
Name Value
Repository radius-project/radius
Commit ref 0ab6a6d
Unique ID func0d1e93cd80
Image tag pr-func0d1e93cd80
  • Dapr: 1.14.4
  • Azure KeyVault CSI driver: 1.4.2
  • Azure Workload identity webhook: 1.3.0
  • Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func0d1e93cd80
  • Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
  • applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func0d1e93cd80
  • dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func0d1e93cd80
  • controller test image location: ghcr.io/radius-project/dev/controller:pr-func0d1e93cd80
  • ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func0d1e93cd80
  • deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

make update-tools
```

Make builds the updater into `bin/` before executing it. This stable path is important on Windows, where security software may block the temporary executable created by `go run`.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Commands section is ambiguous about which target does what, and it doesn't mention the make install-<tool> targets at all — so a reader can't tell "update the pinned versions" from "install a tool locally." Suggest spelling out the two distinct workflows:

  • make update-tools — checks each tool's release source and advances its pinned version in build/tools.yaml to the latest available release (tools marked update: false stay pinned), recomputes the SHA-256 checksums, regenerates the committed build/tools.generated.mk, and syncs the Terraform versionFiles. It reaches the network and edits files; it does not install anything onto your machine.
  • make install-<tool> (e.g. make install-yq, make install-kubectl) — downloads and installs that tool's pinned version into a user-owned bin dir, using the metadata from the generated include. This is the one to run when you actually want the binary.

A one-line note that make update-tools also regenerates build/tools.generated.mk as a side effect (there's no separate "regenerate" make target — the generate-make subcommand shown below is the binary-level equivalent) would remove the last bit of ambiguity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Put tool and framework versions in one place

3 participants