From c13c240dc1cd7bb1a58219485725548a182744dd Mon Sep 17 00:00:00 2001 From: Peter Wagner Date: Thu, 27 Jul 2023 07:17:48 -0400 Subject: [PATCH 1/5] new workflow: depnedabot-automerge --- .github/workflows/dependabot-automerge.yaml | 120 ++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 .github/workflows/dependabot-automerge.yaml diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml new file mode 100644 index 0000000..a87a7ee --- /dev/null +++ b/.github/workflows/dependabot-automerge.yaml @@ -0,0 +1,120 @@ +# Automatically merge a Dependabot PR. +# Users must opt into merging upgrades by their ecosystem and semver gap. +# Accepting major upgrades implies accepting minor and patch. Accepting minor implies patch. +# +# This should be called on: +# - pull_request.{opened,reopened,synchronize}: ideally filtered to lockfile paths (e.g. go.sum, yarn.lock) + +name: Dependabot auto-merge + +on: + workflow_call: + inputs: + all: + required: false + type: string + default: none + description: | + Upgrades to automatically merge. Valid values are: all, none, major, minor, patch. + + # Prefer alphabetical, but "all" is special. + actions: + required: false + type: string + default: none + description: | + GitHub Actions upgrades to automatically merge. Valid values are: all, none, major, minor, patch. + npm: + required: false + type: string + default: none + description: | + NPM upgrades to automatically merge. Valid values are: all, none, major, minor, patch. + +permissions: {} + +jobs: + automerge: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + permissions: + contents: write + pull-requests: write + steps: + - name: Validate inputs + run: | + echo "all=${{ github.event.inputs.all }}" + if [[ ! "${{ github.event.inputs.all }}" =~ ^(all|none|major|minor|patch)$ ]]; then + echo "Invalid input: all=${{ github.event.inputs.all }}" + exit 1 + fi + + echo "actions=${{ github.event.inputs.actions }}" + if [[ ! "${{ github.event.inputs.actions }}" =~ ^(all|none|major|minor|patch)$ ]]; then + echo "Invalid input: actions=${{ github.event.inputs.actions }}" + exit 1 + fi + + echo "npm=${{ github.event.inputs.npm }}" + if [[ ! "${{ github.event.inputs.npm }}" =~ ^(all|none|major|minor|patch)$ ]]; then + echo "Invalid input: npm=${{ github.event.inputs.npm }}" + exit 1 + fi + + - name: Retrieve Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Merge GitHub Actions update + if: | + steps.metadata.outputs.package-ecosystem == 'github_actions' && + ( + (github.event.inputs.all == 'all' || github.event.inputs.actions == 'all') || + ( + steps.metadata.outputs.update-type == 'version-update:semver-major' && + (github.event.inputs.all == 'major' || github.event.inputs.actions == 'major') + ) || + ( + steps.metadata.outputs.update-type == 'version-update:semver-minor' && + ( + (github.event.inputs.all == 'major' || github.event.inputs.actions == 'major') || + (github.event.inputs.all == 'minor' || github.event.inputs.actions == 'minor') + ) + ) || + ( + steps.metadata.outputs.update-type == 'version-update:semver-patch' && + (github.event.inputs.all != 'none' || github.event.inputs.actions != 'none') + ) + ) + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} + run: gh pr merge --auto --merge "$PR_URL" + + - name: Merge NPM update + if: | + steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' && + ( + (github.event.inputs.all == 'all' || github.event.inputs.npm == 'all') || + ( + steps.metadata.outputs.update-type == 'version-update:semver-major' && + (github.event.inputs.all == 'major' || github.event.inputs.npm == 'major') + ) || + ( + steps.metadata.outputs.update-type == 'version-update:semver-minor' && + ( + (github.event.inputs.all == 'major' || github.event.inputs.npm == 'major') || + (github.event.inputs.all == 'minor' || github.event.inputs.npm == 'minor') + ) + ) || + ( + steps.metadata.outputs.update-type == 'version-update:semver-patch' && + (github.event.inputs.all != 'none' || github.event.inputs.npm != 'none') + ) + ) + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} + run: gh pr merge --auto --merge "$PR_URL" From 89775ce7c9da0da5b5550c10bac6107332dda649 Mon Sep 17 00:00:00 2001 From: Peter Wagner Date: Thu, 27 Jul 2023 07:26:29 -0400 Subject: [PATCH 2/5] automerge: fixing syntax --- .github/workflows/dependabot-automerge.yaml | 38 ++++++++++----------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index a87a7ee..596f49c 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -43,21 +43,21 @@ jobs: steps: - name: Validate inputs run: | - echo "all=${{ github.event.inputs.all }}" - if [[ ! "${{ github.event.inputs.all }}" =~ ^(all|none|major|minor|patch)$ ]]; then - echo "Invalid input: all=${{ github.event.inputs.all }}" + echo "all=${{ inputs.all }}" + if [[ ! "${{ inputs.all }}" =~ ^(all|none|major|minor|patch)$ ]]; then + echo "Invalid input: all=${{ inputs.all }}" exit 1 fi - echo "actions=${{ github.event.inputs.actions }}" - if [[ ! "${{ github.event.inputs.actions }}" =~ ^(all|none|major|minor|patch)$ ]]; then - echo "Invalid input: actions=${{ github.event.inputs.actions }}" + echo "actions=${{ inputs.actions }}" + if [[ ! "${{ inputs.actions }}" =~ ^(all|none|major|minor|patch)$ ]]; then + echo "Invalid input: actions=${{ inputs.actions }}" exit 1 fi - echo "npm=${{ github.event.inputs.npm }}" - if [[ ! "${{ github.event.inputs.npm }}" =~ ^(all|none|major|minor|patch)$ ]]; then - echo "Invalid input: npm=${{ github.event.inputs.npm }}" + echo "npm=${{ inputs.npm }}" + if [[ ! "${{ inputs.npm }}" =~ ^(all|none|major|minor|patch)$ ]]; then + echo "Invalid input: npm=${{ inputs.npm }}" exit 1 fi @@ -71,21 +71,21 @@ jobs: if: | steps.metadata.outputs.package-ecosystem == 'github_actions' && ( - (github.event.inputs.all == 'all' || github.event.inputs.actions == 'all') || + (inputs.all == 'all' || inputs.actions == 'all') || ( steps.metadata.outputs.update-type == 'version-update:semver-major' && - (github.event.inputs.all == 'major' || github.event.inputs.actions == 'major') + (inputs.all == 'major' || inputs.actions == 'major') ) || ( steps.metadata.outputs.update-type == 'version-update:semver-minor' && ( - (github.event.inputs.all == 'major' || github.event.inputs.actions == 'major') || - (github.event.inputs.all == 'minor' || github.event.inputs.actions == 'minor') + (inputs.all == 'major' || inputs.actions == 'major') || + (inputs.all == 'minor' || inputs.actions == 'minor') ) ) || ( steps.metadata.outputs.update-type == 'version-update:semver-patch' && - (github.event.inputs.all != 'none' || github.event.inputs.actions != 'none') + (inputs.all != 'none' || inputs.actions != 'none') ) ) env: @@ -97,21 +97,21 @@ jobs: if: | steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' && ( - (github.event.inputs.all == 'all' || github.event.inputs.npm == 'all') || + (inputs.all == 'all' || inputs.npm == 'all') || ( steps.metadata.outputs.update-type == 'version-update:semver-major' && - (github.event.inputs.all == 'major' || github.event.inputs.npm == 'major') + (inputs.all == 'major' || inputs.npm == 'major') ) || ( steps.metadata.outputs.update-type == 'version-update:semver-minor' && ( - (github.event.inputs.all == 'major' || github.event.inputs.npm == 'major') || - (github.event.inputs.all == 'minor' || github.event.inputs.npm == 'minor') + (inputs.all == 'major' || inputs.npm == 'major') || + (inputs.all == 'minor' || inputs.npm == 'minor') ) ) || ( steps.metadata.outputs.update-type == 'version-update:semver-patch' && - (github.event.inputs.all != 'none' || github.event.inputs.npm != 'none') + (inputs.all != 'none' || inputs.npm != 'none') ) ) env: From 2616253dcacde151cd7d8175703260771ca38085 Mon Sep 17 00:00:00 2001 From: Peter Wagner Date: Thu, 27 Jul 2023 07:47:16 -0400 Subject: [PATCH 3/5] approve for branch protection? --- .github/workflows/dependabot-automerge.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index 596f49c..3f3a312 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -116,5 +116,10 @@ jobs: ) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + MERGE_ALL: ${{ inputs.all }} + MERGE_ECOSYSTEM: ${{ inputs.npm }} + UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} PR_URL: ${{ github.event.pull_request.html_url }} - run: gh pr merge --auto --merge "$PR_URL" + run: | + gh pr review --approve --body "Automerging NPM ${MERGE_ALL}/${MERGE_ECOSYSTEM} vs ${UPDATE_TYPE}" "$PR_URL" + gh pr merge --auto --merge "$PR_URL" From 090f70d6393f88900048f069b04e61ea56b27ee2 Mon Sep 17 00:00:00 2001 From: Peter Wagner Date: Thu, 27 Jul 2023 07:49:12 -0400 Subject: [PATCH 4/5] actions too :facepalm: --- .github/workflows/dependabot-automerge.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index 3f3a312..8739ab2 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -90,8 +90,13 @@ jobs: ) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + MERGE_ALL: ${{ inputs.all }} + MERGE_ECOSYSTEM: ${{ inputs.actions }} + UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} PR_URL: ${{ github.event.pull_request.html_url }} - run: gh pr merge --auto --merge "$PR_URL" + run: | + gh pr review --approve --body "Automerging Actions ${MERGE_ALL}/${MERGE_ECOSYSTEM} vs ${UPDATE_TYPE}" "$PR_URL" + gh pr merge --auto --merge "$PR_URL" - name: Merge NPM update if: | From c8dde6849e7be21497e1d1a3e21159eff5befe90 Mon Sep 17 00:00:00 2001 From: Peter Wagner Date: Thu, 27 Jul 2023 08:03:12 -0400 Subject: [PATCH 5/5] tweak approval message, more docs --- .github/workflows/dependabot-automerge.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index 8739ab2..1990f22 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -1,11 +1,13 @@ # Automatically merge a Dependabot PR. -# Users must opt into merging upgrades by their ecosystem and semver gap. +# Should ONLY be used when the default branch is protected with CI check requirements. +# +# Users must opt into merging upgrades by ecosystem and semver gap, e.g. "minor upgrades to github actions" or "patch upgrades to npm". # Accepting major upgrades implies accepting minor and patch. Accepting minor implies patch. # # This should be called on: # - pull_request.{opened,reopened,synchronize}: ideally filtered to lockfile paths (e.g. go.sum, yarn.lock) -name: Dependabot auto-merge +# IDEA: maybe filter by package name? Could be workflow inputs, or we clone the repo's default branch and look for a `.github/automerge-allowlist.txt` or something. on: workflow_call: @@ -95,7 +97,7 @@ jobs: UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} PR_URL: ${{ github.event.pull_request.html_url }} run: | - gh pr review --approve --body "Automerging Actions ${MERGE_ALL}/${MERGE_ECOSYSTEM} vs ${UPDATE_TYPE}" "$PR_URL" + gh pr review --approve --body "Merging this \`${UPDATE_TYPE}\` update (actions: \`${MERGE_ECOSYSTEM}\`, all: \`${MERGE_ALL}\`)" "$PR_URL" gh pr merge --auto --merge "$PR_URL" - name: Merge NPM update @@ -126,5 +128,5 @@ jobs: UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} PR_URL: ${{ github.event.pull_request.html_url }} run: | - gh pr review --approve --body "Automerging NPM ${MERGE_ALL}/${MERGE_ECOSYSTEM} vs ${UPDATE_TYPE}" "$PR_URL" + gh pr review --approve --body "Merging this \`${UPDATE_TYPE}\` update (npm: \`${MERGE_ECOSYSTEM}\`, all: \`${MERGE_ALL}\`)" "$PR_URL" gh pr merge --auto --merge "$PR_URL"