-
-
Notifications
You must be signed in to change notification settings - Fork 0
92 lines (91 loc) · 3.75 KB
/
dependabot-auto.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# Dependabot Auto
#
# Enable auto-merge and approve pull requests authored by @dependabot.
#
# Note: @dependabot generates Yarn v1 lockfiles despite this project using a different Yarn version.
# This corrupts the project lockfile. A workaround has been implemented to autofix lockfile format
# and deduplicate dependencies. Check https://github.com/dependabot/dependabot-core/issues/1297 for
# details pertaining to the safe removal of this workflow.
#
# References:
#
# - https://cli.github.com/manual/gh_pr_merge
# - https://cli.github.com/manual/gh_pr_review
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
# - https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://github.com/actions/checkout
# - https://github.com/crazy-max/ghaction-import-gpg
# - https://github.com/dependabot/fetch-metadata
# - https://github.com/hmarr/debug-action
---
name: dependabot-auto
on: pull_request
env:
GITHUB_TOKEN: ${{ secrets.PAT_BOT }}
YARN_ENABLE_GLOBAL_CACHE: true
YARN_ENABLE_IMMUTABLE_INSTALLS: false
jobs:
dependabot-auto:
if: github.actor == 'dependabot[bot]' || github.actor == 'flexdevelopment'
runs-on: ubuntu-latest
steps:
- id: debug
name: Print environment variables and event payload
uses: hmarr/[email protected]
- id: metadata
name: Fetch metadata
uses: dependabot/[email protected]
with:
skip-commit-verification: true
- id: checkout
name: Checkout ${{ github.head_ref }}
uses: actions/[email protected]
with:
persist-credentials: ${{ steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
ref: ${{ github.head_ref }}
token: ${{ env.GITHUB_TOKEN }}
- id: gpg-import
name: Import GPG key
if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
uses: crazy-max/[email protected]
with:
git_commit_gpgsign: true
git_config_global: true
git_user_signingkey: true
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
# todo: remove when https://github.com/crazy-max/ghaction-import-gpg/issues/118 is resolved
- id: gpg-trust
name: Set trust on GPG key
if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
run: |
gpg --no-tty --command-fd 0 --edit-key ${{ steps.gpg-import.outputs.keyid }} << EOTRUST
trust
5
y
quit
EOTRUST
- id: lockfile-fix
name: Fix yarn.lock
if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
run: yarn --mode=update-lockfile
- id: dedupe
name: Deduplicate dependencies
if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
run: yarn dedupe --mode=update-lockfile
- id: lockfile-push
name: Push yarn.lock
if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
env:
GIT_AUTHOR_EMAIL: ${{ steps.gpg-import.outputs.email }}
GIT_COMMITTER_EMAIL: ${{ steps.gpg-import.outputs.email }}
COMMIT_MESSAGE: 'build(yarn): [dependabot skip] fix lockfile for @dependabot'
run: |
git add yarn.lock
git status
git diff-index --quiet HEAD || git commit -s -m "$COMMIT_MESSAGE" && git push -f
- id: approve-pr
name: Approve pull request
run: gh pr review ${{ github.event.number }} --approve --body 'lgtm 👍🏾'