diff --git a/.github/workflows/combine-dependabot-prs.yml b/.github/workflows/combine-dependabot-prs.yml deleted file mode 100644 index 0158108..0000000 --- a/.github/workflows/combine-dependabot-prs.yml +++ /dev/null @@ -1,139 +0,0 @@ -# https://github.com/hrvey/combine-prs-workflow -name: 'Combine PRs' - -# Controls when the action will run - in this case triggered manually -on: - workflow_dispatch: - inputs: - branchPrefix: - description: 'Branch prefix to find combinable PRs based on' - required: true - default: 'dependabot' - mustBeGreen: - description: 'Only combine PRs that are green (status is success)' - required: true - default: true - combineBranchName: - description: 'Name of the branch to combine PRs into' - required: true - default: 'combine-prs-branch' - ignoreLabel: - description: 'Exclude PRs with this label' - required: true - default: 'nocombine' - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "combine-prs" - combine-prs: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - - uses: actions/github-script@v6 - id: fetch-branch-names - name: Fetch branch names - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - const pulls = await github.paginate('GET /repos/:owner/:repo/pulls', { - owner: context.repo.owner, - repo: context.repo.repo - }); - branches = []; - prs = []; - base_branch = null; - for (const pull of pulls) { - const branch = pull['head']['ref']; - console.log('Pull for branch: ' + branch); - if (branch.startsWith('${{ github.event.inputs.branchPrefix }}')) { - console.log('Branch matched: ' + branch); - statusOK = true; - if(${{ github.event.inputs.mustBeGreen }}) { - console.log('Checking green status: ' + branch); - const checkRuns = await github.request('GET /repos/{owner}/{repo}/commits/{ref}/check-runs', { - owner: context.repo.owner, - repo: context.repo.repo, - ref: branch - }); - for await (const cr of checkRuns.data.check_runs) { - console.log('Validating check conclusion: ' + cr.conclusion); - if(cr.conclusion != 'success') { - console.log('Discarding ' + branch + ' with check conclusion ' + cr.conclusion); - statusOK = false; - } - } - } - console.log('Checking labels: ' + branch); - const labels = pull['labels']; - for(const label of labels) { - const labelName = label['name']; - console.log('Checking label: ' + labelName); - if(labelName == '${{ github.event.inputs.ignoreLabel }}') { - console.log('Discarding ' + branch + ' with label ' + labelName); - statusOK = false; - } - } - if (statusOK) { - console.log('Adding branch to array: ' + branch); - branches.push(branch); - prs.push('#' + pull['number'] + ' ' + pull['title']); - base_branch = pull['base']['ref']; - } - } - } - if (branches.length == 0) { - core.setFailed('No PRs/branches matched criteria'); - return; - } - core.setOutput('base-branch', base_branch); - core.setOutput('prs-string', prs.join('\n')); - - combined = branches.join(' ') - console.log('Combined: ' + combined); - return combined - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - # Creates a branch with other PR branches merged together - - name: Created combined branch - env: - BASE_BRANCH: ${{ steps.fetch-branch-names.outputs.base-branch }} - BRANCHES_TO_COMBINE: ${{ steps.fetch-branch-names.outputs.result }} - COMBINE_BRANCH_NAME: ${{ github.event.inputs.combineBranchName }} - run: | - echo "$BRANCHES_TO_COMBINE" - sourcebranches="${BRANCHES_TO_COMBINE%\"}" - sourcebranches="${sourcebranches#\"}" - - basebranch="${BASE_BRANCH%\"}" - basebranch="${basebranch#\"}" - - git config pull.rebase false - git config user.name github-actions - git config user.email github-actions@github.com - - git branch $COMBINE_BRANCH_NAME $basebranch - git checkout $COMBINE_BRANCH_NAME - git pull origin $sourcebranches --no-edit - git push origin $COMBINE_BRANCH_NAME - # Creates a PR with the new combined branch - - uses: actions/github-script@v6 - name: Create Combined Pull Request - env: - PRS_STRING: ${{ steps.fetch-branch-names.outputs.prs-string }} - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - const prString = process.env.PRS_STRING; - const body = 'This PR was created by the Combine PRs action by combining the following PRs:\n' + prString; - await github.rest.pulls.create({ - owner: context.repo.owner, - repo: context.repo.repo, - title: 'Combined PR', - head: '${{ github.event.inputs.combineBranchName }}', - base: '${{ steps.fetch-branch-names.outputs.base-branch }}', - body: body - }); diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..436b7af --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,29 @@ +name: Dependabot auto-merge +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: ${{ github.actor == 'dependabot[bot]' }} + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v1.1.1 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Wait other jobs are passed or failed + if: ${{ contains(github.event.pull_request.labels.*.name, 'pip dependencies') || contains(github.event.pull_request.labels.*.name, 'github actions') }} + uses: kachick/wait-other-jobs@v1 + timeout-minutes: 30 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Enable auto-merge for Dependabot PRs + if: ${{ contains(github.event.pull_request.labels.*.name, 'pip dependencies') || contains(github.event.pull_request.labels.*.name, 'github actions') }} + run: gh pr review --approve "$PR_URL" && gh pr merge --auto --merge "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..494e79b --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v2 + with: + fail-on-severity: moderate