From 160ee7bd1bb0741d7b22305de685ada742648552 Mon Sep 17 00:00:00 2001 From: Mat Jones Date: Fri, 19 Apr 2024 09:38:21 -0400 Subject: [PATCH 1/3] chore(ci): Auto-add one approval to automated flake.lock PRs --- .github/workflows/approve-flake-lock-prs.yml | 16 ++++++++++++++++ .github/workflows/update-flake-dependencies.yml | 7 ++++++- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/approve-flake-lock-prs.yml diff --git a/.github/workflows/approve-flake-lock-prs.yml b/.github/workflows/approve-flake-lock-prs.yml new file mode 100644 index 00000000..578c85e0 --- /dev/null +++ b/.github/workflows/approve-flake-lock-prs.yml @@ -0,0 +1,16 @@ +# This job applies one approval automatically to the automated `flake.lock` PRs +# This helps us keep up with the weekly automated PRs, but still requires at least 1 +# human manual approval. +name: Approve flake.lock PRs (still require 1 human approval) +permissions: + pull-requests: write +jobs: + approve-flake-lock-prs: + runs-on: ubuntu-latest + if: github.actor == 'github-actions[bot]' && github.event.pull_request.labels.*.name == 'flake.lock automation' + steps: + - name: Approve flake.lock PRs (still requires 1 human approval) + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/update-flake-dependencies.yml b/.github/workflows/update-flake-dependencies.yml index a19c3bf6..85fad658 100644 --- a/.github/workflows/update-flake-dependencies.yml +++ b/.github/workflows/update-flake-dependencies.yml @@ -33,5 +33,10 @@ jobs: --field content=@<(base64 -i $FILE_TO_COMMIT) \ --field branch="$COMMIT_BRANCH" \ --field sha="$(git rev-parse $COMMIT_BRANCH:$FILE_TO_COMMIT)" - gh pr create --title "[automation]: Update Flake dependencies" --body "This is an automated PR to update \`flake.lock\`" --reviewer mrjones2014 --reviewer AndyTitu --base main --head $COMMIT_BRANCH + gh pr create --title "[automation]: Update Flake dependencies" \ + --body "This is an automated PR to update \`flake.lock\`" \ + --label "flake.lock automation" \ + --reviewer mrjones2014 \ + --reviewer AndyTitu \ + --base main --head $COMMIT_BRANCH fi From d5191376db6d041ca87fd564a0bf59feab8e495f Mon Sep 17 00:00:00 2001 From: Mat Jones Date: Fri, 19 Apr 2024 10:51:34 -0400 Subject: [PATCH 2/3] fix: run only if ONLY flake.lock is changed --- .github/workflows/approve-flake-lock-prs.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/approve-flake-lock-prs.yml b/.github/workflows/approve-flake-lock-prs.yml index 578c85e0..b1ba3721 100644 --- a/.github/workflows/approve-flake-lock-prs.yml +++ b/.github/workflows/approve-flake-lock-prs.yml @@ -4,13 +4,23 @@ name: Approve flake.lock PRs (still require 1 human approval) permissions: pull-requests: write +on: + pull_request_target: + paths: + - 'flake.lock' # only run if flake.lock has changed jobs: approve-flake-lock-prs: runs-on: ubuntu-latest if: github.actor == 'github-actions[bot]' && github.event.pull_request.labels.*.name == 'flake.lock automation' steps: - name: Approve flake.lock PRs (still requires 1 human approval) - run: gh pr review --approve "$PR_URL" + run: | + # only run if only exactly 1 file is changed; + # this combined with the `paths:` filter on the job itself + # ensures that the PR changes ONLY flake.lock and no other files + if [[ "$(git diff --name-only HEAD..origin/main | wc -l)" = 1 ]]; then + gh pr review --approve "$PR_URL" + end env: PR_URL: ${{github.event.pull_request.html_url}} GH_TOKEN: ${{secrets.GITHUB_TOKEN}} From e98eb985fdce1654c01e7d7a58f17cdb014b3119 Mon Sep 17 00:00:00 2001 From: Mat Jones Date: Fri, 19 Apr 2024 10:54:00 -0400 Subject: [PATCH 3/3] fix: checkout the repo before trying to analyze git status --- .github/workflows/approve-flake-lock-prs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/approve-flake-lock-prs.yml b/.github/workflows/approve-flake-lock-prs.yml index b1ba3721..6b997c00 100644 --- a/.github/workflows/approve-flake-lock-prs.yml +++ b/.github/workflows/approve-flake-lock-prs.yml @@ -13,6 +13,7 @@ jobs: runs-on: ubuntu-latest if: github.actor == 'github-actions[bot]' && github.event.pull_request.labels.*.name == 'flake.lock automation' steps: + - uses: actions/checkout@v4 - name: Approve flake.lock PRs (still requires 1 human approval) run: | # only run if only exactly 1 file is changed;