From e4ddc41d35cda53b701031183b803f27419fc27f Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 22 Jan 2025 14:21:41 +0500 Subject: [PATCH 1/4] chore: auto merge dependabot PRs Based on the instructions from https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions --- .github/workflows/contrib.yaml | 51 +++++++++++++--------------------- 1 file changed, 20 insertions(+), 31 deletions(-) diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index 716b9e3ccb60f..6c8c47414d5aa 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -3,18 +3,7 @@ name: contrib on: issue_comment: types: [created] - pull_request_target: - types: - - opened - - closed - - synchronize - - labeled - - unlabeled - - opened - - reopened - - edited - # For jobs that don't run on draft PRs. - - ready_for_review + pull_request: permissions: contents: read @@ -24,31 +13,36 @@ concurrency: pr-${{ github.ref }} jobs: # Dependabot is annoying, but this makes it a bit less so. - auto-approve-dependabot: + dependabot: runs-on: ubuntu-latest if: github.event_name == 'pull_request_target' permissions: pull-requests: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d # v2.2.0 with: - egress-policy: audit - - - name: auto-approve dependabot - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 - if: github.actor == 'dependabot[bot]' + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Approve the PR + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + + - name: Enable auto-merge for Dependabot PRs + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' + run: gh pr merge --auto --merge "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} cla: runs-on: ubuntu-latest permissions: pull-requests: write steps: - - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 - with: - egress-policy: audit - - name: cla if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 @@ -71,11 +65,6 @@ jobs: # Skip tagging for draft PRs. if: ${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }} steps: - - name: Harden Runner - uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 - with: - egress-policy: audit - - name: release-labels uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: From 9664de8444ec6c1f78377e4ba52bfc1f3b0f28f7 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 22 Jan 2025 14:23:09 +0500 Subject: [PATCH 2/4] fixup! --- .github/workflows/contrib.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index 6c8c47414d5aa..fb236f24fc710 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -15,7 +15,7 @@ jobs: # Dependabot is annoying, but this makes it a bit less so. dependabot: runs-on: ubuntu-latest - if: github.event_name == 'pull_request_target' + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'coder/coder' permissions: pull-requests: write steps: From 54112812df958a78fb5a6dae70f219de34c68f0a Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 22 Jan 2025 14:28:38 +0500 Subject: [PATCH 3/4] Fix workflow conditions for pull request events --- .github/workflows/contrib.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index fb236f24fc710..ae70d25a579ec 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -44,7 +44,7 @@ jobs: pull-requests: write steps: - name: cla - if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request' uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -63,7 +63,7 @@ jobs: release-labels: runs-on: ubuntu-latest # Skip tagging for draft PRs. - if: ${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }} + if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.draft }} steps: - name: release-labels uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 From fb17a7cbb8eb98fa36e64c7bb7eef8c0776ffb20 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 22 Jan 2025 15:59:30 +0500 Subject: [PATCH 4/4] Update pull request event types in workflow This will ensure we run on label chnages. --- .github/workflows/contrib.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index ae70d25a579ec..b665e2c6f25c1 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -4,6 +4,17 @@ on: issue_comment: types: [created] pull_request: + types: + - opened + - closed + - synchronize + - labeled + - unlabeled + - opened + - reopened + - edited + # For jobs that don't run on draft PRs. + - ready_for_review permissions: contents: read