Skip to content

chore(ci): automate vcpkg registry sync on ecosystem releases#608

Merged
kcenon merged 3 commits into
mainfrom
chore/issue-607-automate-vcpkg-registry-sync
Mar 24, 2026
Merged

chore(ci): automate vcpkg registry sync on ecosystem releases#608
kcenon merged 3 commits into
mainfrom
chore/issue-607-automate-vcpkg-registry-sync

Conversation

@kcenon

@kcenon kcenon commented Mar 24, 2026

Copy link
Copy Markdown
Owner

Closes #607

Summary

  • Add reusable GitHub Actions workflow (sync-vcpkg-registry.yml) that automates vcpkg registry synchronization
  • Add caller workflow (on-release-sync-registry.yml) for monitoring_system releases
  • Update docs/guides/PORT_MANAGEMENT.md with automated flow documentation and adoption guide

What

File Change
.github/workflows/sync-vcpkg-registry.yml New reusable workflow_call workflow
.github/workflows/on-release-sync-registry.yml New caller workflow for monitoring_system
docs/guides/PORT_MANAGEMENT.md Updated Step 8 (automated sync), added adoption section
CHANGELOG.md Added entry for registry sync automation

Why

Eliminates manual 32-step process (8 systems x 4 steps) for vcpkg registry updates after ecosystem releases. Reduces errors from SHA512 mismatches and version database inconsistencies, and removes single-maintainer bottleneck for registry availability.

How

Reusable Workflow Design

The workflow accepts port-name, version, and REGISTRY_PAT via workflow_call, then:

  1. Strips v prefix from version, derives repo name from port name
  2. Downloads release archive and computes SHA512 hash
  3. Updates portfile.cmake (SHA512) and vcpkg.json (version, port-version reset)
  4. Clones kcenon/vcpkg-registry, copies updated port files
  5. Commits port files, computes git-tree SHA via git rev-parse
  6. Updates versions/<prefix>/<port>.json (with idempotent upsert) and baseline.json
  7. Opens PR to vcpkg-registry for manual review

Security Hardening

  • All ${{ }} expressions passed through env: blocks (no script injection)
  • PAT scoped to vcpkg-registry only, passed via secrets
  • PR-based approach maintains human review gate
  • SHA512 verification prevents supply-chain tampering

Idempotency

  • Re-runs for the same version update the existing entry in place instead of creating duplicates

Test Plan

  • YAML syntax validated for all workflow files
  • Workflow inputs/secrets match between reusable and caller
  • Port directory vcpkg-ports/kcenon-monitoring-system/ confirmed to exist
  • No direct ${{ }} interpolation in any run: block (script injection hardened)
  • Manual trigger test after merge (requires VCPKG_REGISTRY_PAT secret)

kcenon added 3 commits March 24, 2026 09:11
Add sync-vcpkg-registry.yml reusable workflow that automates the
manual port sync process described in PORT_MANAGEMENT.md Step 8.

On release, the workflow:
- Downloads the release archive and computes SHA512
- Updates portfile.cmake and vcpkg.json with new version
- Copies port files to kcenon/vcpkg-registry
- Updates versions database (version JSON + baseline.json)
- Opens a PR to vcpkg-registry for human review

Also adds on-release-sync-registry.yml caller workflow for
monitoring_system, triggered on release published events.

Closes #607
…gistry sync

Update Step 8 of the port update procedure to describe the new automated
sync-vcpkg-registry workflow. Add caller workflow setup instructions for
other ecosystem repositories. Add CHANGELOG entry under Unreleased.
Fix two critical issues in sync-vcpkg-registry.yml:

1. Script injection: Replace all direct ${{ inputs.* }} and
   ${{ steps.*.outputs.* }} interpolation in run: blocks with env:
   block indirection to prevent untrusted input injection.

2. Duplicate version entry: On workflow re-run for the same version,
   the jq prepend would create duplicate entries in the versions JSON.
   Now checks for existing version and updates in place instead.
@kcenon kcenon merged commit c47e85c into main Mar 24, 2026
25 checks passed
@kcenon kcenon deleted the chore/issue-607-automate-vcpkg-registry-sync branch March 24, 2026 00:28
kcenon added a commit that referenced this pull request Apr 13, 2026
* chore(ci): add reusable workflow for vcpkg registry sync

Add sync-vcpkg-registry.yml reusable workflow that automates the
manual port sync process described in PORT_MANAGEMENT.md Step 8.

On release, the workflow:
- Downloads the release archive and computes SHA512
- Updates portfile.cmake and vcpkg.json with new version
- Copies port files to kcenon/vcpkg-registry
- Updates versions database (version JSON + baseline.json)
- Opens a PR to vcpkg-registry for human review

Also adds on-release-sync-registry.yml caller workflow for
monitoring_system, triggered on release published events.

Closes #607

* docs(vcpkg): update PORT_MANAGEMENT.md and CHANGELOG for automated registry sync

Update Step 8 of the port update procedure to describe the new automated
sync-vcpkg-registry workflow. Add caller workflow setup instructions for
other ecosystem repositories. Add CHANGELOG entry under Unreleased.

* fix(ci): harden sync workflow against injection and duplicate versions

Fix two critical issues in sync-vcpkg-registry.yml:

1. Script injection: Replace all direct ${{ inputs.* }} and
   ${{ steps.*.outputs.* }} interpolation in run: blocks with env:
   block indirection to prevent untrusted input injection.

2. Duplicate version entry: On workflow re-run for the same version,
   the jq prepend would create duplicate entries in the versions JSON.
   Now checks for existing version and updates in place instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore(ci): Automate vcpkg registry sync on ecosystem releases

1 participant