patching dependabot workflow to address security risk #40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot NEWS.md autofill | |
| on: | |
| pull_request: | |
| branches: [main] | |
| types: [opened, synchronize, reopened, edited] | |
| permissions: | |
| contents: write | |
| pull-requests: read | |
| jobs: | |
| add-news-entry: | |
| if: github.actor == 'dependabot[bot]' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout base branch | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: main | |
| fetch-depth: 0 | |
| - name: Compute NEWS.md entry from Dependabot title | |
| id: news | |
| shell: bash | |
| env: | |
| TITLE: ${{ github.event.pull_request.title }} | |
| run: | | |
| set -euo pipefail | |
| sanitize() { | |
| printf '%s' "$1" \ | |
| | tr -d '\r\n' \ | |
| | tr -cd '[:alnum:][:space:].,_@%:/+-' \ | |
| | sed 's/[[:space:]]\+/ /g' | |
| } | |
| if [[ "$TITLE" =~ ^Bump[[:space:]]+(.+)[[:space:]]+from[[:space:]]+([^[:space:]]+)[[:space:]]+to[[:space:]]+([^[:space:]]+)$ ]]; then | |
| RAW_PKG="${BASH_REMATCH[1]}" | |
| RAW_FROM="${BASH_REMATCH[2]}" | |
| RAW_TO="${BASH_REMATCH[3]}" | |
| PKG="$(sanitize "$RAW_PKG")" | |
| FROM="$(sanitize "$RAW_FROM")" | |
| TO="$(sanitize "$RAW_TO")" | |
| ENTRY="* dependabot updating package ${PKG} from version ${FROM} to version ${TO} new" | |
| else | |
| ENTRY="* dependabot updating dependencies new" | |
| fi | |
| { | |
| echo "entry<<EOF" | |
| echo "$ENTRY" | |
| echo "EOF" | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Update NEWS.md | |
| id: update | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| ENTRY="${{ steps.news.outputs.entry }}" | |
| if [[ ! -f NEWS.md ]]; then | |
| echo "::error file=NEWS.md,line=1,col=1::NEWS.md not found." | |
| exit 1 | |
| fi | |
| if grep -Fqx "$ENTRY" NEWS.md; then | |
| echo "changed=false" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| tmp="$(mktemp)" | |
| awk -v entry="$ENTRY" ' | |
| BEGIN { inserted=0 } | |
| { | |
| print $0 | |
| if ($0 ~ /^##[[:space:]]+Features[[:space:]]*$/ && inserted == 0) { | |
| print entry | |
| inserted=1 | |
| } | |
| } | |
| END { | |
| if (inserted == 0) { | |
| print "" | |
| print entry | |
| } | |
| } | |
| ' NEWS.md > "$tmp" | |
| mv "$tmp" NEWS.md | |
| echo "changed=true" >> "$GITHUB_OUTPUT" | |
| - name: Commit and push to PR branch | |
| if: steps.update.outputs.changed == 'true' | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| git fetch origin "${{ github.event.pull_request.head.ref }}" | |
| git checkout "${{ github.event.pull_request.head.ref }}" | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git add NEWS.md | |
| git commit -m "Update NEWS.md for Dependabot PR" | |
| git push origin HEAD | |
| ``` |