Skip to content

Add Dependabot Tapioca workflow #2043

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
benrfairless merged 2 commits into from
May 1, 2026
Merged

Add Dependabot Tapioca workflow #2043

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0c9e5dd
ci: add Dependabot Tapioca workflow
benrfairless Apr 28, 2026
3a6c59a
Update Github action to use env variable
benrfairless Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions .github/workflows/dependabot-tapioca.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: Dependabot Tapioca

on:
pull_request:
types:
- opened
- synchronize
- reopened

permissions:
contents: read

jobs:
update_tapioca:
if: >
github.actor == 'dependabot[bot]' &&
startsWith(github.head_ref, 'dependabot/bundler/') &&
github.event.pull_request.head.repo.full_name == github.repository
runs-on: ubuntu-latest
services:
postgres:
image: postgis/postgis:15-3.3
ports:
- 5432:5432
env:
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
env:
RAILS_ENV: test
DATABASE_URL: "postgis://postgres:postgres@localhost:5432/rails_test"
permissions:
contents: write
concurrency:
group: dependabot-tapioca-${{ github.event.pull_request.number }}
cancel-in-progress: true
steps:
- name: Checkout Dependabot branch
uses: actions/checkout@v6
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Install Ruby and gems
uses: ruby/setup-ruby@v1.305.0
with:
bundler-cache: true
- name: Create database
run: bin/rails db:create
- name: Set up database schema
run: bin/rails db:schema:load
- name: Update Tapioca RBI files
run: |
bin/tapioca gem
bin/tapioca dsl
bin/tapioca dsl --environment=test
- name: Commit updated RBI files
run: |
if git diff --quiet --exit-code -- sorbet; then
echo "No Tapioca changes to commit"
exit 0
fi

git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add sorbet
git commit -m "Update Tapioca RBI files"
git push origin HEAD:${{ github.event.pull_request.head.ref }}

Check failure on line 69 in .github/workflows/dependabot-tapioca.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

The expression github.event.pull_request.head.ref can be set by an external actor to a specially crafted value, enabling script injection. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. 


See more on https://sonarcloud.io/project/issues?id=openaustralia_planningalerts&issues=AZ3TZ_wrJvNQ_U3gjcE_&open=AZ3TZ_wrJvNQ_U3gjcE_&pullRequest=2043

Check failure

Code scanning / SonarCloud

GitHub Actions should not be vulnerable to script injections High

The expression github.event.pull\_request.head.ref can be set by an external actor to a specially crafted value, enabling script injection. Change this workflow to not use user-controlled data directly in a run block, for example by assigning this expression to an environment variable. See more on SonarQube Cloud
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed