Backpropagate Cargo.lock updates to all lock files

ci/buildkite.yml

@@ -5,6 +5,13 @@
 # Release tags use buildkite-release.yml instead
 
 steps:
+  - command: "ci/dependabot-pr.sh"
+    name: "dependabot"
+    timeout_in_minutes: 5
+    if: build.env("GITHUB_USER") == "dependabot-preview[bot]"
+
+  - wait
+
   - command: ". ci/rust-version.sh; ci/docker-run.sh $$rust_nightly_docker_image ci/test-checks.sh"
     name: "checks"
     timeout_in_minutes: 20

ci/dependabot-pr.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -ex
+
+cd "$(dirname "$0")/.."
+
+if ! echo "$BUILDKITE_BRANCH" | grep -E '^pull/[0-9]+/head$'; then
+  echo "not pull request!?" >&2
+  exit 1
+fi
+
+source ci/rust-version.sh stable
+
+ci/docker-run.sh $rust_nightly_docker_image ci/dependabot-updater.sh
+
+if [[ $(git status --short :**/Cargo.lock | wc -l) -gt 0 ]]; then
+  (
+    echo --- "(FAILING) Backpropagating dependabot-triggered Cargo.lock updates"
+
+    git add :**/Cargo.lock
+    NAME="dependabot-buildkite"
+    GIT_AUTHOR_NAME="$NAME" \
+      GIT_COMMITTER_NAME="$NAME" \
+      EMAIL="dependabot-buildkite@noreply.solana.com" \
+      git commit -m "[auto-commit] Update all Cargo lock files"
+    api_base="https://api.github.com/repos/solana-labs/solana/pulls"
+    pr_num=$(echo "$BUILDKITE_BRANCH" | grep -Eo '[0-9]+')
+    branch=$(curl -s "$api_base/$pr_num" | python -c 'import json,sys;print json.load(sys.stdin)["head"]["ref"]')
+    git push origin "HEAD:$branch"
+
+    echo "Source branch is updated; failing this build for the next"
+    exit 1
+  )
+fi
+
+echo --- ok

ci/dependabot-updater.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -ex
+cd "$(dirname "$0")/.."
+source ci/_
+
+commit_range="$(git merge-base HEAD origin/master)..HEAD"
+parsed_update_args="$(
+  git log "$commit_range" --author "dependabot-preview" --oneline -n1 |
+    grep -o 'Bump.*$' |
+    sed -r 's/Bump ([^ ]+) from [^ ]+ to ([^ ]+)/-p \1 --precise \2/'
+)"
+package=$(echo "$parsed_update_args" | awk '{print $2}')
+if [[ -n $parsed_update_args ]]; then
+  # shellcheck disable=SC2086
+  _TARGET_LOCK_FILES=$(git grep --files-with-matches "$package" :**/Cargo.lock) \
+    _ scripts/cargo-for-all-lock-files.sh update $parsed_update_args
+fi
+
+echo --- ok

ci/test-checks.sh

@@ -13,6 +13,15 @@ export RUSTFLAGS="-D warnings"
 # Look for failed mergify.io backports
 _ git show HEAD --check --oneline
 
+if _ scripts/cargo-for-all-lock-files.sh check --locked; then
+  true
+else
+  check_status=$?
+  echo "Some Cargo.lock is outdated; please update them as well"
+  echo "protip: you can use ./scripts/cargo-for-all-lock-files.sh update ..."
+  exit "$check_status"
+fi
+
 _ cargo +"$rust_stable" fmt --all -- --check
 
 # Clippy gets stuck for unknown reasons if sdk-c is included in the build, so check it separately.

scripts/cargo-for-all-lock-files.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [[ -n $_TARGET_LOCK_FILES ]]; then
+  files="$_TARGET_LOCK_FILES"
+else
+  files="$(git ls-files :**/Cargo.lock)"
+fi
+
+for lock_file in $files
+do
+  (
+    set -x
+    cd "$(dirname "$lock_file")"
+    cargo "$@"
+  )
+done