Update workflow files from stardust-npm-scripts

rvdh · rvdh · commit ced35759993b · 2022-05-30T13:39:21.000+02:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -1,3 +1,4 @@
+# These workflows are copied from stardust-npm-scripts. Edit them there.
 ---
 name: Lint, test and build
 on: push
@@ -49,39 +50,3 @@ jobs:
     - run: npm run build
 
     - run: npm run lint
-
-  dependabot_auto_merge:
-    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    steps:
-    - uses: google-github-actions/auth@v0
-      id: auth
-      with:
-        workload_identity_provider: projects/${{ env.GCLOUD_PROJECT_ID }}/locations/global/workloadIdentityPools/github/providers/github-actions
-        service_account: github-actions@${{ env.GCLOUD_PROJECT_NAME }}.iam.gserviceaccount.com
-
-    - name: Get common secrets
-      id: secrets
-      uses: google-github-actions/get-secretmanager-secrets@v0
-      with:
-        secrets: |-
-          github:${{ env.GCLOUD_PROJECT_NAME }}/github
-
-    - name: Dependabot metadata
-      id: metadata
-      uses: dependabot/fetch-metadata@v1.1.1
-      with:
-        github-token: ${{ fromJson(steps.secrets.outputs.github).token }}
-
-    - name: Automatically approve the PR
-      run: gh pr review --approve "${PR_URL}"
-      env:
-        PR_URL: ${{github.event.pull_request.html_url}}
-        GITHUB_TOKEN: ${{ fromJson(steps.secrets.outputs.github).token }}
-
-    - name: Enable auto-merge for patch or minor version updates
-      if: "${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' }}"
-      run: gh pr merge --auto --merge "${PR_URL}"
-      env:
-        PR_URL: ${{github.event.pull_request.html_url}}
-        GITHUB_TOKEN: ${{ fromJson(steps.secrets.outputs.github).token }}
diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml
@@ -0,0 +1,53 @@
+# These workflows are copied from stardust-npm-scripts. Edit them there.
+---
+name: Auto-merge dependabot
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled, unlabeled]
+
+env:
+  GCLOUD_PROJECT_NAME: um-cloud-production
+  GCLOUD_PROJECT_ID: 72990522503
+
+permissions:
+  # Needed to clone the repo
+  contents: read
+  # Needed for Workload Identity
+  id-token: write
+
+jobs:
+  dependabot_auto_merge:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+    - uses: google-github-actions/auth@v0
+      id: auth
+      with:
+        workload_identity_provider: projects/${{ env.GCLOUD_PROJECT_ID }}/locations/global/workloadIdentityPools/github/providers/github-actions
+        service_account: github-actions@${{ env.GCLOUD_PROJECT_NAME }}.iam.gserviceaccount.com
+
+    - name: Get common secrets
+      id: secrets
+      uses: google-github-actions/get-secretmanager-secrets@v0
+      with:
+        secrets: |-
+          github:${{ env.GCLOUD_PROJECT_NAME }}/github
+
+    - name: Dependabot metadata
+      id: metadata
+      uses: dependabot/fetch-metadata@v1.1.1
+      with:
+        github-token: ${{ fromJson(steps.secrets.outputs.github).token }}
+
+    - name: Automatically approve the PR
+      run: gh pr review --approve "${PR_URL}"
+      env:
+        PR_URL: ${{github.event.pull_request.html_url}}
+        GITHUB_TOKEN: ${{ fromJson(steps.secrets.outputs.github).token }}
+
+    - name: Enable auto-merge for patch or minor version updates
+      if: "${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' }}"
+      run: gh pr merge --auto --merge "${PR_URL}"
+      env:
+        PR_URL: ${{github.event.pull_request.html_url}}
+        GITHUB_TOKEN: ${{ fromJson(steps.secrets.outputs.github).token }}
diff --git a/.github/workflows/publish-beta.yaml b/.github/workflows/publish-beta.yaml
@@ -1,3 +1,4 @@
+# These workflows are copied from stardust-npm-scripts. Edit them there.
 ---
 name: Lint, test, build, and publish
 on:
@@ -14,8 +15,8 @@ permissions:
   contents: read
   # Needed for Workload Identity
   id-token: write
-  # Needed to pull docker images / write NPM packages
-  packages: write
+  # Needed to pull docker images
+  packages: read
 
 jobs:
   publish:
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -1,3 +1,4 @@
+# These workflows are copied from stardust-npm-scripts. Edit them there.
 ---
 name: Lint, test, build, and publish
 on:
@@ -14,8 +15,8 @@ permissions:
   contents: read
   # Needed for Workload Identity
   id-token: write
-  # Needed to pull docker images / write NPM packages
-  packages: write
+  # Needed to pull docker images
+  packages: read
 
 jobs:
   publish:
