name: Proto Version Check on: pull_request: paths: - "**/*.proto" - "**/*.pb.go" - "**/generate.sh" - "proto-tools.env" - ".github/workflows/proto-version-check.yml" jobs: regenerate-and-diff: name: Regenerate proto and verify no drift runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Load pinned proto toolchain versions run: | # shellcheck source=/dev/null . ./proto-tools.env { echo "PROTOC_VERSION=${PROTOC_VERSION}" echo "PROTOC_GEN_GO_VERSION=${PROTOC_GEN_GO_VERSION}" echo "PROTOC_GEN_GO_GRPC_VERSION=${PROTOC_GEN_GO_GRPC_VERSION}" } >> "$GITHUB_ENV" - name: Setup Go uses: actions/setup-go@v5 with: go-version-file: go.mod - name: Setup protoc uses: arduino/setup-protoc@v3 with: version: ${{ env.PROTOC_VERSION }} repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Install protoc plugins run: | go install "google.golang.org/protobuf/cmd/protoc-gen-go@${PROTOC_GEN_GO_VERSION}" go install "google.golang.org/grpc/cmd/protoc-gen-go-grpc@${PROTOC_GEN_GO_GRPC_VERSION}" echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH" - name: Verify protoc version matches pin run: | actual=$(protoc --version | awk '{print $2}') if [ "$actual" != "$PROTOC_VERSION" ]; then echo "::error::protoc $actual does not match pinned $PROTOC_VERSION" exit 1 fi - name: Regenerate all proto bindings run: | set -euo pipefail for script in \ client/proto/generate.sh \ shared/signal/proto/generate.sh \ shared/management/proto/generate.sh \ flow/proto/generate.sh \ encryption/testprotos/generate.sh; do echo "::group::$script" bash "$script" echo "::endgroup::" done - name: Fail if regeneration changed any tracked file run: | if ! git diff --exit-code; then echo "::error::Generated proto files drift from .proto sources or pinned tool versions." echo "Run the generate.sh scripts locally with the toolchain in proto-tools.env and commit the result." exit 1 fi