Added a workflow to bump downstream versions (#13434)

Author: alex

.github/bin/bump_downstreams.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+# Extract downstream info from ci.yml using yq
+DOWNSTREAMS=$(yq '.jobs.linux-downstream.strategy.matrix.include[] | .DOWNSTREAM + ":" + .REPO + ":" + .REF' .github/workflows/ci.yml)
+echo "Found downstreams:"
+echo "$DOWNSTREAMS"
+
+# Create individual bump steps for each downstream
+HAS_ANY_UPDATES=false
+COMBINED_COMMIT_MSG=""
+
+while IFS=: read -r downstream repo ref; do
+    echo "Processing $downstream..."
+
+    # Convert repo to GitHub URL
+    repo_url="https://github.com/$repo"
+
+    # Extract branch name and determine if it's a tag from the comment in ci.yml
+    # Find the comment line for this downstream by looking for the REF line and getting the comment above it
+    comment_line=$(grep -B1 "REF: $ref" .github/workflows/ci.yml | grep "^[[:space:]]*#" | tail -1)
+
+    # Parse the comment to determine branch and whether it's a tag
+    if echo "$comment_line" | grep -q "release tag"; then
+        # This is a tag-based entry
+        tag_args="--tag"
+        branch=""  # Not used for tags
+        comment_pattern="# Latest release tag of $downstream, as of.*\\."
+    else
+        # This is a branch-based entry, extract branch name
+        branch=$(echo "$comment_line" | sed -n 's/.*on the .* \([^ ]*\) branch.*/\1/p')
+        tag_args=""
+        comment_pattern="# Latest commit on the $downstream .* branch, as of.*\\."
+    fi
+
+    echo "Using branch: $branch, tag_args: $tag_args"
+
+    # Create pattern to match REF in ci.yml
+    ref_pattern="REF: ($ref)"
+    replacement_pattern="REF: {new_version}"
+
+    # Run bump_dependency.py
+    python3 .github/bin/bump_dependency.py \
+        --name "$downstream" \
+        --repo-url "$repo_url" \
+        --branch "$branch" \
+        --file-path ".github/workflows/ci.yml" \
+        --current-version-pattern "$ref_pattern" \
+        --update-pattern "$replacement_pattern" \
+        --comment-pattern "$comment_pattern" \
+        $tag_args
+
+    # Check if this downstream had updates
+    if [ -f "$GITHUB_OUTPUT" ]; then
+        if grep -q "HAS_UPDATES=true" "$GITHUB_OUTPUT"; then
+            HAS_ANY_UPDATES=true
+            # Extract commit message for this downstream
+            DOWNSTREAM_MSG=$(sed -n '/COMMIT_MSG<<EOF/,/^EOF$/p' "$GITHUB_OUTPUT" | sed '1d;$d')
+            if [ -n "$COMBINED_COMMIT_MSG" ]; then
+                COMBINED_COMMIT_MSG="$COMBINED_COMMIT_MSG"$'\n\n'"$DOWNSTREAM_MSG"
+            else
+                COMBINED_COMMIT_MSG="$DOWNSTREAM_MSG"
+            fi
+        fi
+    fi
+done <<< "$DOWNSTREAMS"
+
+# Set final outputs
+echo "HAS_UPDATES=$HAS_ANY_UPDATES" >> "$GITHUB_OUTPUT"
+if [ "$HAS_ANY_UPDATES" = "true" ]; then
+    echo "COMMIT_MSG<<EOF" >> "$GITHUB_OUTPUT"
+    echo "$COMBINED_COMMIT_MSG" >> "$GITHUB_OUTPUT"
+    echo "EOF" >> "$GITHUB_OUTPUT"
+fi

.github/downstream.d/aws-encryption-sdk.sh renamed to .github/downstream.d/aws-encryption-sdk-python.sh

@@ -445,7 +445,7 @@ jobs:
             # Latest commit on the twisted trunk branch, as of Aug 05, 2025.
             REF: 710e6fad358efe58262ff49c9e32af594687a794
             PATH: twisted
-          - DOWNSTREAM: aws-encryption-sdk
+          - DOWNSTREAM: aws-encryption-sdk-python
             REPO: awslabs/aws-encryption-sdk-python
             # Latest commit on the aws-encryption-sdk-python master branch, as of Aug 05, 2025.
             REF: cbfab663e94c4ed1db5211886770e1aa403a7c67
@@ -462,7 +462,7 @@ jobs:
             PATH: certbot
           - DOWNSTREAM: certbot-josepy
             REPO: certbot/josepy
-            # Latest commit on the josepy main branch, as of Aug 05, 2025.
+            # Latest commit on the certbot-josepy main branch, as of Aug 05, 2025.
             REF: f74100c800fd280f0640d320052a9680da56be95
             PATH: josepy
           - DOWNSTREAM: mitmproxy
@@ -475,7 +475,7 @@ jobs:
             # Latest commit on the scapy master branch, as of Aug 05, 2025.
             REF: cc8e09187407cefce61207823239c2d5749bf046
             PATH: scapy
-          - DOWNSTREAM: sigstore
+          - DOWNSTREAM: sigstore-python
             REPO: sigstore/sigstore-python
             # Latest commit on the sigstore-python main branch, as of Aug 05, 2025.
             REF: 5ea398f538ea1954c9aca9cf6064d1d93ccbced1

.github/downstream.d/sigstore.sh renamed to .github/downstream.d/sigstore-python.sh

@@ -0,0 +1,39 @@
+name: Bump downstream dependencies
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run daily
+    - cron: "0 0 * * *"
+
+jobs:
+  bump:
+    if: github.repository_owner == 'pyca'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          # Needed so we can push back to the repo
+          persist-credentials: true
+      - name: Parse downstream dependencies
+        id: downstream-bump
+        run: ./.github/bin/bump_downstreams.sh
+      - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.BORINGBOT_APP_ID }}
+          private_key: ${{ secrets.BORINGBOT_PRIVATE_KEY }}
+        if: steps.downstream-bump.outputs.HAS_UPDATES == 'true'
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          branch: "bump-downstreams"
+          commit-message: "Bump downstream dependencies in CI"
+          title: "Bump downstream dependencies in CI"
+          author: "pyca-boringbot[bot] <pyca-boringbot[bot][email protected]>"
+          body: |
+            ${{ steps.downstream-bump.outputs.COMMIT_MSG }}
+          token: ${{ steps.generate-token.outputs.token }}
+        if: steps.downstream-bump.outputs.HAS_UPDATES == 'true'