diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index f9ef209777aa8..a1a6e91f0448b 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -2,15 +2,14 @@ name: contrib on: issue_comment: - types: [created] - pull_request: + types: [created, edited] + pull_request_target: types: - opened - closed - synchronize - labeled - unlabeled - - opened - reopened - edited # For jobs that don't run on draft PRs. @@ -23,88 +22,13 @@ permissions: concurrency: pr-${{ github.ref }} jobs: - # Dependabot is annoying, but this makes it a bit less so. - dependabot-automerge: - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'coder/coder' - permissions: - pull-requests: write - contents: write - steps: - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - - - name: Approve the PR - run: gh pr review --approve "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - - - name: Enable auto-merge for Dependabot PRs - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - - dependabot-automerge-notify: - # Send a slack notification when a dependabot PR is merged. - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'coder/coder' && github.event.pull_request.merged - steps: - - name: Send Slack notification - env: - PR_URL: ${{github.event.pull_request.html_url}} - PR_TITLE: ${{github.event.pull_request.title}} - PR_NUMBER: ${{github.event.pull_request.number}} - run: | - curl -X POST -H 'Content-type: application/json' \ - --data '{ - "username": "dependabot", - "icon_url": "https://avatars.githubusercontent.com/u/27347476", - "blocks": [ - { - "type": "header", - "text": { - "type": "plain_text", - "text": ":pr-merged: Auto merged Dependabot PR #${{ env.PR_NUMBER }}", - "emoji": true - } - }, - { - "type": "section", - "fields": [ - { - "type": "mrkdwn", - "text": "${{ env.PR_TITLE }}" - } - ] - }, - { - "type": "actions", - "elements": [ - { - "type": "button", - "text": { - "type": "plain_text", - "text": "View PR" - }, - "url": "${{ env.PR_URL }}" - } - ] - } - ] - }' ${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }} - cla: runs-on: ubuntu-latest permissions: pull-requests: write steps: - name: cla - if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request' + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -123,7 +47,7 @@ jobs: release-labels: runs-on: ubuntu-latest # Skip tagging for draft PRs. - if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.draft }} + if: ${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }} steps: - name: release-labels uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml new file mode 100644 index 0000000000000..79c2f89dbec5d --- /dev/null +++ b/.github/workflows/dependabot.yaml @@ -0,0 +1,95 @@ +name: dependabot + +on: + pull_request: + types: + - opened + push: + branches: + - main + +permissions: + contents: read + +# Only run one instance per PR to ensure in-order execution. +concurrency: pr-${{ github.ref }} + +jobs: + # Dependabot is annoying, but this makes it a bit less so. + dependabot-automerge: + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.actor_id == 49699333 && github.repository == 'coder/coder' + permissions: + pull-requests: write + contents: write + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Approve the PR + run: | + echo "Approving $PR_URL" + gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + + - name: Enable auto-merge + run: | + echo "Enabling auto-merge for $PR_URL" + gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + + dependabot-automerge-notify: + # Send a slack notification when a dependabot PR is merged. + runs-on: ubuntu-latest + if: github.event_name == 'push' && github.actor == 'github-actions[bot]' && github.actor_id == 41898282 && github.repository == 'coder/coder' + steps: + - name: Send Slack notification + env: + PR_URL: ${{github.event.pull_request.html_url}} + PR_TITLE: ${{github.event.pull_request.title}} + PR_NUMBER: ${{github.event.pull_request.number}} + run: | + curl -X POST -H 'Content-type: application/json' \ + --data '{ + "username": "dependabot", + "icon_url": "https://avatars.githubusercontent.com/u/27347476", + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": ":pr-merged: Auto merged Dependabot PR #${{ env.PR_NUMBER }}", + "emoji": true + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "${{ env.PR_TITLE }}" + } + ] + }, + { + "type": "actions", + "elements": [ + { + "type": "button", + "text": { + "type": "plain_text", + "text": "View PR" + }, + "url": "${{ env.PR_URL }}" + } + ] + } + ] + }' ${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }}