-
Notifications
You must be signed in to change notification settings - Fork 10
235 lines (200 loc) · 8.08 KB
/
Copy pathdependabot.yml
File metadata and controls
235 lines (200 loc) · 8.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
name: Dependabot
on:
pull_request:
types: [opened, synchronize, reopened]
schedule:
# Monthly lock file maintenance on first Monday at 6 AM
- cron: '0 6 1 * 1'
workflow_dispatch:
concurrency:
group: "dependency-updates-${{ github.ref }}"
cancel-in-progress: true
jobs:
config:
name: Get Configuration
runs-on: ubuntu-latest
outputs:
default-python-version: ${{ steps.config.outputs.default-python-version }}
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Get project configuration
id: config
uses: ./.github/actions/get-config
setup-cache:
name: Setup Cache
needs: config
uses: ./.github/workflows/cache-management.yml
with:
cache-type: dependencies
cache-key-base: deps
python-version: ${{ needs.config.outputs.default-python-version }}
update-uv-lock:
name: Update UV Lock File
if: github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs: [config, setup-cache]
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0
# On a Dependabot pull_request the default checkout target is the
# synthesised merge ref, which lands as a detached HEAD. The
# subsequent commit succeeds but the push errors with
# `fatal: You are not currently on a branch`. Pin to the PR head
# branch by name so push has an upstream to write to.
ref: ${{ github.head_ref }}
- name: Setup Python and UV
uses: ./.github/actions/setup-uv-cached
with:
cache-key: ${{ needs.setup-cache.outputs.cache-key }}
fail-on-cache-miss: false
- name: Update UV lock file
run: |
uv lock
- name: Commit updated lock file
env:
GIT_AUTHOR_NAME: github-actions[bot]
GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
GIT_COMMITTER_NAME: github-actions[bot]
GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
run: |
if [[ -n $(git status --porcelain) ]]; then
git add uv.lock
git commit -m "chore(deps): update uv.lock after dependabot changes"
git push
else
echo "No changes to commit"
fi
auto-merge:
name: Auto-merge
if: github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs: [update-uv-lock]
permissions:
contents: write
pull-requests: write
checks: read
steps:
- name: Check if PR is ready for auto-merge
id: check-automerge
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
with:
script: |
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number
});
// SECURITY: Sanitize inputs to prevent injection
const title = pr.title.toLowerCase().replace(/[^a-z0-9\-\s]/g, '');
const allowedLabels = ['patch', 'minor', 'major', 'dependencies', 'dev-dependencies', 'security'];
const labels = pr.labels
.map(label => label.name)
.filter(name => allowedLabels.includes(name));
// Auto-merge conditions
const isPatch = title.includes('patch') || labels.includes('patch');
const isMinor = title.includes('minor') || labels.includes('minor');
const isDev = title.includes('dev-dependencies') || labels.includes('dependencies');
const shouldAutoMerge = isPatch || (isMinor && isDev);
console.log(`Sanitized title: ${title}`);
console.log(`Filtered labels: ${labels.join(', ')}`);
console.log(`Should auto-merge: ${shouldAutoMerge}`);
return shouldAutoMerge;
- name: Wait for checks to complete
if: steps.check-automerge.outputs.result == 'true'
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
with:
script: |
const maxWaitTime = 10 * 60 * 1000; // 10 minutes
const checkInterval = 30 * 1000; // 30 seconds
const startTime = Date.now();
while (Date.now() - startTime < maxWaitTime) {
const { data: checks } = await github.rest.checks.listForRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: context.payload.pull_request.head.sha
});
const relevantChecks = checks.check_runs.filter(check =>
!check.name.includes('auto-merge') &&
!check.name.includes('dependabot')
);
const allCompleted = relevantChecks.every(check =>
check.status === 'completed'
);
const allSuccessful = relevantChecks.every(check =>
check.conclusion === 'success' || check.conclusion === 'neutral'
);
if (allCompleted && allSuccessful) {
console.log('All checks passed!');
return true;
}
if (allCompleted && !allSuccessful) {
console.log('Some checks failed, not auto-merging');
return false;
}
console.log('Waiting for checks to complete...');
await new Promise(resolve => setTimeout(resolve, checkInterval));
}
console.log('Timeout waiting for checks');
return false;
- name: Auto-merge PR
if: steps.check-automerge.outputs.result == 'true'
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
with:
script: |
await github.rest.pulls.merge({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
merge_method: 'squash',
commit_title: `${context.payload.pull_request.title} (#${context.issue.number})`,
commit_message: 'Auto-merged by Dependabot workflow'
});
monthly-maintenance:
name: Monthly Maintenance
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
needs: [config, setup-cache]
permissions:
contents: write
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Setup Python and UV
uses: ./.github/actions/setup-uv-cached
with:
cache-key: ${{ needs.setup-cache.outputs.cache-key }}
fail-on-cache-miss: false
- name: Update all dependencies
run: |
echo "Updating all dependencies..."
uv lock --upgrade
- name: Create Pull Request
uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: "chore(deps): monthly dependency maintenance"
title: "chore(deps): monthly dependency maintenance"
body: |
## Monthly Dependency Maintenance
This PR updates all dependencies to their latest compatible versions.
### Changes
- Updated `uv.lock` with latest dependency versions
- Automated monthly maintenance run
### Review Notes
- Check for any breaking changes in updated dependencies
- Verify all tests pass before merging
- Review security advisories for updated packages
branch: chore/monthly-dependency-maintenance
delete-branch: true
labels: |
dependencies
maintenance
automated