From cfb86ab0ea17d6e5538bd238026657af15660c81 Mon Sep 17 00:00:00 2001 From: M Atif Ali Date: Thu, 30 Jan 2025 17:25:30 +0500 Subject: [PATCH 1/5] ci: fix cla and dependabot notifications --- .github/workflows/contrib.yaml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index f9ef209777aa8..eba91bde2c7e5 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -2,19 +2,24 @@ name: contrib on: issue_comment: - types: [created] - pull_request: + types: [created, edited] + pull_request_target: # for community types: - opened - closed - synchronize - labeled - unlabeled - - opened - reopened - edited # For jobs that don't run on draft PRs. - ready_for_review + pull_request: # for dependabot PRs + types: + - opened + push: + branches: + - main permissions: contents: read @@ -43,7 +48,7 @@ jobs: PR_URL: ${{github.event.pull_request.html_url}} GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - - name: Enable auto-merge for Dependabot PRs + - name: Enable auto-merge run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} @@ -52,7 +57,7 @@ jobs: dependabot-automerge-notify: # Send a slack notification when a dependabot PR is merged. runs-on: ubuntu-latest - if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'coder/coder' && github.event.pull_request.merged + if: github.event_name == 'push' && github.actor == 'github-actions[bot]' steps: - name: Send Slack notification env: @@ -104,7 +109,7 @@ jobs: pull-requests: write steps: - name: cla - if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request' + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 26e9faceff813e58dffc95d9cc8a7f079f14860b Mon Sep 17 00:00:00 2001 From: M Atif Ali Date: Thu, 30 Jan 2025 17:40:01 +0500 Subject: [PATCH 2/5] extract dependabot logic to dependabot.yaml --- .github/workflows/dependabot.yaml | 91 +++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 .github/workflows/dependabot.yaml diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml new file mode 100644 index 0000000000000..ea8db1ff3792f --- /dev/null +++ b/.github/workflows/dependabot.yaml @@ -0,0 +1,91 @@ +name: dependabot + +on: + pull_request: + types: + - opened + push: + branches: + - main + +permissions: + contents: read + +# Only run one instance per PR to ensure in-order execution. +concurrency: pr-${{ github.ref }} + +jobs: + # Dependabot is annoying, but this makes it a bit less so. + dependabot-automerge: + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'coder/coder' + permissions: + pull-requests: write + contents: write + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Approve the PR + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + + - name: Enable auto-merge + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + + dependabot-automerge-notify: + # Send a slack notification when a dependabot PR is merged. + runs-on: ubuntu-latest + if: github.event_name == 'push' && github.actor == 'github-actions[bot]' + steps: + - name: Send Slack notification + env: + PR_URL: ${{github.event.pull_request.html_url}} + PR_TITLE: ${{github.event.pull_request.title}} + PR_NUMBER: ${{github.event.pull_request.number}} + run: | + curl -X POST -H 'Content-type: application/json' \ + --data '{ + "username": "dependabot", + "icon_url": "https://avatars.githubusercontent.com/u/27347476", + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": ":pr-merged: Auto merged Dependabot PR #${{ env.PR_NUMBER }}", + "emoji": true + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "${{ env.PR_TITLE }}" + } + ] + }, + { + "type": "actions", + "elements": [ + { + "type": "button", + "text": { + "type": "plain_text", + "text": "View PR" + }, + "url": "${{ env.PR_URL }}" + } + ] + } + ] + }' ${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }} From 2b057b51a374e996d8551dfa58e0d6f94e83f9fe Mon Sep 17 00:00:00 2001 From: M Atif Ali Date: Thu, 30 Jan 2025 17:40:59 +0500 Subject: [PATCH 3/5] remove dependabot logic --- .github/workflows/contrib.yaml | 81 ---------------------------------- 1 file changed, 81 deletions(-) diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index eba91bde2c7e5..e1592ab42d018 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -14,12 +14,6 @@ on: - edited # For jobs that don't run on draft PRs. - ready_for_review - pull_request: # for dependabot PRs - types: - - opened - push: - branches: - - main permissions: contents: read @@ -28,81 +22,6 @@ permissions: concurrency: pr-${{ github.ref }} jobs: - # Dependabot is annoying, but this makes it a bit less so. - dependabot-automerge: - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'coder/coder' - permissions: - pull-requests: write - contents: write - steps: - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - - - name: Approve the PR - run: gh pr review --approve "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - - - name: Enable auto-merge - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - - dependabot-automerge-notify: - # Send a slack notification when a dependabot PR is merged. - runs-on: ubuntu-latest - if: github.event_name == 'push' && github.actor == 'github-actions[bot]' - steps: - - name: Send Slack notification - env: - PR_URL: ${{github.event.pull_request.html_url}} - PR_TITLE: ${{github.event.pull_request.title}} - PR_NUMBER: ${{github.event.pull_request.number}} - run: | - curl -X POST -H 'Content-type: application/json' \ - --data '{ - "username": "dependabot", - "icon_url": "https://avatars.githubusercontent.com/u/27347476", - "blocks": [ - { - "type": "header", - "text": { - "type": "plain_text", - "text": ":pr-merged: Auto merged Dependabot PR #${{ env.PR_NUMBER }}", - "emoji": true - } - }, - { - "type": "section", - "fields": [ - { - "type": "mrkdwn", - "text": "${{ env.PR_TITLE }}" - } - ] - }, - { - "type": "actions", - "elements": [ - { - "type": "button", - "text": { - "type": "plain_text", - "text": "View PR" - }, - "url": "${{ env.PR_URL }}" - } - ] - } - ] - }' ${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }} - cla: runs-on: ubuntu-latest permissions: From 2305d582fd91e4e9bbb3fcc173735117de52deca Mon Sep 17 00:00:00 2001 From: M Atif Ali Date: Thu, 30 Jan 2025 17:43:46 +0500 Subject: [PATCH 4/5] Remove comment from pull_request_target section --- .github/workflows/contrib.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index e1592ab42d018..da76bacfbcadb 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -3,7 +3,7 @@ name: contrib on: issue_comment: types: [created, edited] - pull_request_target: # for community + pull_request_target: types: - opened - closed From ed7875d6070f75a5005209cfa8f0cc9a984a8fb3 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Fri, 31 Jan 2025 14:11:25 +0000 Subject: [PATCH 5/5] Update GitHub Actions PR validation logic Switch `release-labels` job trigger to `pull_request_target` and refine `dependabot` automerge conditions by verifying `actor_id`. Enhance logging for approval and merge steps to provide better visibility. --- .github/workflows/contrib.yaml | 2 +- .github/workflows/dependabot.yaml | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/contrib.yaml b/.github/workflows/contrib.yaml index da76bacfbcadb..a1a6e91f0448b 100644 --- a/.github/workflows/contrib.yaml +++ b/.github/workflows/contrib.yaml @@ -47,7 +47,7 @@ jobs: release-labels: runs-on: ubuntu-latest # Skip tagging for draft PRs. - if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.draft }} + if: ${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }} steps: - name: release-labels uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 diff --git a/.github/workflows/dependabot.yaml b/.github/workflows/dependabot.yaml index ea8db1ff3792f..79c2f89dbec5d 100644 --- a/.github/workflows/dependabot.yaml +++ b/.github/workflows/dependabot.yaml @@ -18,7 +18,7 @@ jobs: # Dependabot is annoying, but this makes it a bit less so. dependabot-automerge: runs-on: ubuntu-latest - if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'coder/coder' + if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.actor_id == 49699333 && github.repository == 'coder/coder' permissions: pull-requests: write contents: write @@ -30,13 +30,17 @@ jobs: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Approve the PR - run: gh pr review --approve "$PR_URL" + run: | + echo "Approving $PR_URL" + gh pr review --approve "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - name: Enable auto-merge - run: gh pr merge --auto --squash "$PR_URL" + run: | + echo "Enabling auto-merge for $PR_URL" + gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} GH_TOKEN: ${{secrets.GITHUB_TOKEN}} @@ -44,7 +48,7 @@ jobs: dependabot-automerge-notify: # Send a slack notification when a dependabot PR is merged. runs-on: ubuntu-latest - if: github.event_name == 'push' && github.actor == 'github-actions[bot]' + if: github.event_name == 'push' && github.actor == 'github-actions[bot]' && github.actor_id == 41898282 && github.repository == 'coder/coder' steps: - name: Send Slack notification env: