[PR #94] [CLOSED] feat: add boto3 and botocore automated dependency update github worklflows #234

New issue

Closed

opened 2026-03-15 11:54:45 +03:00 by kerem · 0 comments

kerem commented

2026-03-15 11:54:45 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/awslabs/iam-policy-autopilot/pull/94
Author: @hwei0
Created: 1/7/2026
Status: ❌ Closed

Base: main ← Head: main-action-dev

📝 Commits (10+)

912c890 feat: add version flag and submodule version+data info
9f79162 Merge branch 'main' of https://github.com/hwei0/iam-policy-autopilot
a6077d4 refactor: address comments in PR#87
869f80a refactor: fix clippy
fbf5280 fix: add openssl, libssl-dev dependenies to pr build workflow
59b4b63 fix: try to resolve build failure with openssl vendored https://github.com/cross-rs/cross/wiki/Recipes#openssl
6af7ee6 Merge branch 'awslabs:main' into main
01b266b refactor: reset BTreeMap to HashMap in build.rs serde structs, add comments to structs in build.rs
c4a739c refactor: reset to btree
e03c285 feat: add submodule dependency update github workflows

📊 Changes

2 files changed (+448 additions, -0 deletions)

View changed files

➕ .github/workflows/submodule_update_pr.yml (+346 -0)
➕ .github/workflows/sync_release_to_main.yml (+102 -0)

📄 Description

Issue #, if available:
https://github.com/awslabs/iam-policy-autopilot/issues/63

Description of changes:
There are two workflows being added here:

submodule_update_pr.yml:
This does the following, on a manual trigger or a cron basis:

gets the current boto3, botocore commits used at the head of iam-policy-autopilot/release
checks out the newest tagged release of boto3, botocore, and builds the latest released version of iam-policy-autopilot using them; runs iam-policy-autopilot --version --debug to get the corresponding data checksum.
checks out the boto3, botocore commits used at the head of iam-policy-autopilot/release, and builds the latest release version of iam-policy-autopilot using them; runs iam-policy-autopilot --version --debug to get the corresponding data checksum.
For each of boto3, botocore, compare the checksums from (2) and (3). If they differ, we submit a PR to the release branch, to bump the submodule versions on that release branch.

sync_release_to_main.yml:
The previous action only submits PR updates to the release branch. Once those submitted PRs are merged, we want another workflow to run, which merges that dependency update in the release branch, back to the main branch. This workflow does this by:

getting the updated submodule versions in the release branch
checks out the main branch, and bumping the versions there
submits a PR for that merge
enables auto-merge on that PR
automatically approves that PR, using our custom personal access token set as the CUSTOM_GITHUB_ACTION_PAT repository secret in https://github.com/awslabs/iam-policy-autopilot/settings/secrets/actions.

Two notes:

This PR must be released before this workflow can run successfully. This is because, that PR actually enables the --version --debug functionality needed for this action.
A PAT with repo permissions must be setup and stored as a secret named CUSTOM_GITHUB_ACTION_PAT in https://github.com/awslabs/iam-policy-autopilot/settings/secrets/actions. This is needed for auto-approval action to work successfully.
For some reason the sync_release_to_main workflow doesn't get automatically triggered on PR merges to release. It might be because of a delay on github, but i'm still not sure yet. Still making this PR to see if its just an issue with my testing repository configuration.

Example of successful PR runs:

For submodule_update_pr: here's a sample PR. Here's a sample workflow run.
For sync_release_to_main: here's a sample PR. Here's a sample workflow run

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/awslabs/iam-policy-autopilot/pull/94 **Author:** [@hwei0](https://github.com/hwei0) **Created:** 1/7/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `main-action-dev` --- ### 📝 Commits (10+) - [`912c890`](https://github.com/awslabs/iam-policy-autopilot/commit/912c890e670adcca79532fcc3f2333db76c51be3) feat: add version flag and submodule version+data info - [`9f79162`](https://github.com/awslabs/iam-policy-autopilot/commit/9f791626e9e873b49c7ebe0b887d9aca89377019) Merge branch 'main' of https://github.com/hwei0/iam-policy-autopilot - [`a6077d4`](https://github.com/awslabs/iam-policy-autopilot/commit/a6077d4458f34eb6d3fa348f1b65c94d11fa50c2) refactor: address comments in PR#87 - [`869f80a`](https://github.com/awslabs/iam-policy-autopilot/commit/869f80ab3195966c0d02f5ab933e76ba6c05a69e) refactor: fix clippy - [`fbf5280`](https://github.com/awslabs/iam-policy-autopilot/commit/fbf5280d56f0cd2ca4961f8dd01e51baeecadf87) fix: add openssl, libssl-dev dependenies to pr build workflow - [`59b4b63`](https://github.com/awslabs/iam-policy-autopilot/commit/59b4b638fda4dfbeb25a3e117a545bfa49d5cb6c) fix: try to resolve build failure with openssl vendored https://github.com/cross-rs/cross/wiki/Recipes#openssl - [`6af7ee6`](https://github.com/awslabs/iam-policy-autopilot/commit/6af7ee619794ef00d2761f181d7d3c5211af5bb0) Merge branch 'awslabs:main' into main - [`01b266b`](https://github.com/awslabs/iam-policy-autopilot/commit/01b266bada4b4ba9d3fdfe207a01c2a41e7fe9e6) refactor: reset BTreeMap to HashMap in build.rs serde structs, add comments to structs in build.rs - [`c4a739c`](https://github.com/awslabs/iam-policy-autopilot/commit/c4a739cd4acb90ca0f947b42304ee1e90b4327ff) refactor: reset to btree - [`e03c285`](https://github.com/awslabs/iam-policy-autopilot/commit/e03c285c2d3b8e0a0b5420ceba40d60213af16a2) feat: add submodule dependency update github workflows ### 📊 Changes **2 files changed** (+448 additions, -0 deletions) <details> <summary>View changed files</summary> ➕ `.github/workflows/submodule_update_pr.yml` (+346 -0) ➕ `.github/workflows/sync_release_to_main.yml` (+102 -0) </details> ### 📄 Description *Issue #, if available:* https://github.com/awslabs/iam-policy-autopilot/issues/63 *Description of changes:* There are two workflows being added here: **`submodule_update_pr.yml`:** This does the following, on a manual trigger or a cron basis: 1. gets the current boto3, botocore commits used at the head of iam-policy-autopilot/release 2. checks out the newest tagged release of boto3, botocore, and builds the latest released version of iam-policy-autopilot using them; runs `iam-policy-autopilot --version --debug` to get the corresponding data checksum. 3. checks out the boto3, botocore commits used at the head of iam-policy-autopilot/release, and builds the latest release version of iam-policy-autopilot using them; runs `iam-policy-autopilot --version --debug` to get the corresponding data checksum. 4. For each of boto3, botocore, compare the checksums from (2) and (3). If they differ, we submit a PR to the release branch, to bump the submodule versions on that release branch. **`sync_release_to_main.yml`:** The previous action only submits PR updates to the release branch. Once those submitted PRs are merged, we want another workflow to run, which merges that dependency update in the release branch, back to the main branch. This workflow does this by: - getting the updated submodule versions in the release branch - checks out the main branch, and bumping the versions there - submits a PR for that merge - enables auto-merge on that PR - automatically approves that PR, using our custom personal access token set as the `CUSTOM_GITHUB_ACTION_PAT` repository secret in https://github.com/awslabs/iam-policy-autopilot/settings/secrets/actions. Two notes: - [This PR](https://github.com/awslabs/iam-policy-autopilot/pull/87) must be released before this workflow can run successfully. This is because, that PR actually enables the `--version --debug` functionality needed for this action. - A PAT with repo permissions must be setup and stored as a secret named `CUSTOM_GITHUB_ACTION_PAT` in https://github.com/awslabs/iam-policy-autopilot/settings/secrets/actions. This is needed for auto-approval action to work successfully. - For some reason the sync_release_to_main workflow doesn't get automatically triggered on PR merges to release. It might be because of a [delay on github](https://stackoverflow.com/questions/67550727/push-event-doesnt-trigger-workflow-on-push-paths), but i'm still not sure yet. Still making this PR to see if its just an issue with my testing repository configuration. Example of successful PR runs: - For submodule_update_pr: [here's a sample PR](https://github.com/hwei0/iam-policy-autopilot-testing/pull/5). [Here's a sample workflow run](https://github.com/hwei0/iam-policy-autopilot-testing/actions/runs/20762203881). - For sync_release_to_main: [here's a sample PR](https://github.com/hwei0/iam-policy-autopilot-testing/pull/11). [Here's a sample workflow run](https://github.com/hwei0/iam-policy-autopilot-testing/actions/runs/20767170132) By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>