chore(ci): automate vcpkg registry sync on ecosystem releases#608
Merged
Conversation
Add sync-vcpkg-registry.yml reusable workflow that automates the manual port sync process described in PORT_MANAGEMENT.md Step 8. On release, the workflow: - Downloads the release archive and computes SHA512 - Updates portfile.cmake and vcpkg.json with new version - Copies port files to kcenon/vcpkg-registry - Updates versions database (version JSON + baseline.json) - Opens a PR to vcpkg-registry for human review Also adds on-release-sync-registry.yml caller workflow for monitoring_system, triggered on release published events. Closes #607
…gistry sync Update Step 8 of the port update procedure to describe the new automated sync-vcpkg-registry workflow. Add caller workflow setup instructions for other ecosystem repositories. Add CHANGELOG entry under Unreleased.
Fix two critical issues in sync-vcpkg-registry.yml:
1. Script injection: Replace all direct ${{ inputs.* }} and
${{ steps.*.outputs.* }} interpolation in run: blocks with env:
block indirection to prevent untrusted input injection.
2. Duplicate version entry: On workflow re-run for the same version,
the jq prepend would create duplicate entries in the versions JSON.
Now checks for existing version and updates in place instead.
7 tasks
kcenon
added a commit
that referenced
this pull request
Apr 13, 2026
* chore(ci): add reusable workflow for vcpkg registry sync Add sync-vcpkg-registry.yml reusable workflow that automates the manual port sync process described in PORT_MANAGEMENT.md Step 8. On release, the workflow: - Downloads the release archive and computes SHA512 - Updates portfile.cmake and vcpkg.json with new version - Copies port files to kcenon/vcpkg-registry - Updates versions database (version JSON + baseline.json) - Opens a PR to vcpkg-registry for human review Also adds on-release-sync-registry.yml caller workflow for monitoring_system, triggered on release published events. Closes #607 * docs(vcpkg): update PORT_MANAGEMENT.md and CHANGELOG for automated registry sync Update Step 8 of the port update procedure to describe the new automated sync-vcpkg-registry workflow. Add caller workflow setup instructions for other ecosystem repositories. Add CHANGELOG entry under Unreleased. * fix(ci): harden sync workflow against injection and duplicate versions Fix two critical issues in sync-vcpkg-registry.yml: 1. Script injection: Replace all direct ${{ inputs.* }} and ${{ steps.*.outputs.* }} interpolation in run: blocks with env: block indirection to prevent untrusted input injection. 2. Duplicate version entry: On workflow re-run for the same version, the jq prepend would create duplicate entries in the versions JSON. Now checks for existing version and updates in place instead.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #607
Summary
sync-vcpkg-registry.yml) that automates vcpkg registry synchronizationon-release-sync-registry.yml) for monitoring_system releasesdocs/guides/PORT_MANAGEMENT.mdwith automated flow documentation and adoption guideWhat
.github/workflows/sync-vcpkg-registry.ymlworkflow_callworkflow.github/workflows/on-release-sync-registry.ymldocs/guides/PORT_MANAGEMENT.mdCHANGELOG.mdWhy
Eliminates manual 32-step process (8 systems x 4 steps) for vcpkg registry updates after ecosystem releases. Reduces errors from SHA512 mismatches and version database inconsistencies, and removes single-maintainer bottleneck for registry availability.
How
Reusable Workflow Design
The workflow accepts
port-name,version, andREGISTRY_PATviaworkflow_call, then:vprefix from version, derives repo name from port nameportfile.cmake(SHA512) andvcpkg.json(version, port-version reset)kcenon/vcpkg-registry, copies updated port filesgit-treeSHA viagit rev-parseversions/<prefix>/<port>.json(with idempotent upsert) andbaseline.jsonSecurity Hardening
${{ }}expressions passed throughenv:blocks (no script injection)Idempotency
Test Plan
vcpkg-ports/kcenon-monitoring-system/confirmed to exist${{ }}interpolation in anyrun:block (script injection hardened)VCPKG_REGISTRY_PATsecret)