From 37c8b514bcf082bf980dd2e2cdf8253f0bdb10d6 Mon Sep 17 00:00:00 2001
From: Michal Sojka <michal.sojka@cvut.cz>
Date: Sun, 2 Mar 2025 19:07:41 +0100
Subject: [PATCH] workflows: Automatically update ament_vendor metadata after
 running superflore

The update workflow is updated as follows: Instead of running just
superflore, we run:

1. superflore --dry-run ...
2. maintainers/scripts/update-ament-vendor.sh && git commit
3. superflore --pr-only ...

The first command updates the overlay as before, but does not submit a
PR. The second step updates ament_vendor metadata according to the
updated overlay and the third command creates the PR with all updates.

I tried to make the step 2 as fast and efficient as possible, but it
may happen that it will run for long time (about 1 hour in my
testing). The reason is that, for example, if gz-msgs-vendor package
gets updated, the update of other vendored packages depending on it,
e.g., gz-sim-vendor, will have to build the updated gz-msgs-vendor,
because it is not yet in the cachix cache.
---
 .github/workflows/update.yaml | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml
index 5a233fc0cc..93629d992a 100644
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@@ -20,10 +20,6 @@ jobs:
           nix-env -f . -iA python3Packages.rosdep superflore
       - name: Update overlay
         env:
-          # Don't use secrets.GITHUB_TOKEN because it prevents the PR from
-          # triggering a build
-          # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/events-that-trigger-workflows#about-workflow-events
-          SUPERFLORE_GITHUB_TOKEN: ${{ secrets.SUPERFLORE_GITHUB_TOKEN }}
           ROS_OS_OVERRIDE: nixos
           ROSDEP_SOURCE_PATH: rosdep-sources
         run: |
@@ -37,8 +33,28 @@ jobs:
               echo "username=lopsided98"
               echo "password=${SUPERFLORE_GITHUB_TOKEN}"
             }; f'
-          superflore-gen-nix \
+          superflore-gen-nix --dry-run \
             --tar-archive-dir "${{ runner.temp }}/tar" \
             --output-repository-path . \
             --upstream-branch develop \
             --all
+      - name: Update ament_vendor info
+        continue-on-error: true
+        run: |
+          # permittedInsecurePackages is needed for updating some gz-*-vendor packages.
+          # Note that this runs without access to SUPERFLORE_GITHUB_TOKEN.
+          mkdir -p ~/.config/nixpkgs
+          echo '{ permittedInsecurePackages = [ "freeimage-unstable-2021-11-01" ]; }' > ~/.config/nixpkgs/config.nix
+          NIX_PATH=nixpkgs=$PWD ./maintainers/scripts/update-ament-vendor.sh || ret=$?
+          git commit -m 'Update vendored-source.json files' $(find -name vendored-source.json) || :
+          exit $ret
+      - name: Create PR
+        env:
+          # Don't use secrets.GITHUB_TOKEN because it prevents the PR from
+          # triggering a build
+          # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/events-that-trigger-workflows#about-workflow-events
+          SUPERFLORE_GITHUB_TOKEN: ${{ secrets.SUPERFLORE_GITHUB_TOKEN }}
+        run: |
+          superflore-gen-nix --pr-only \
+            --output-repository-path . \
+            --upstream-branch develop \