From a94f4d279f7a6910181486e1fff77043bea76498 Mon Sep 17 00:00:00 2001 From: Nara Kasbergen Kwon <855115+xiehan@users.noreply.github.com> Date: Thu, 19 Oct 2023 14:08:28 +0200 Subject: [PATCH] chore: make sure auto-approve and automerge work for Dependabot (#281) Signed-off-by: team-tf-cdk Co-authored-by: team-tf-cdk --- .github/workflows/auto-approve.yml | 6 +++--- .github/workflows/automerge.yml | 7 ++++--- .github/workflows/build.yml | 18 +++++++++--------- .github/workflows/pull-request-lint.yml | 2 +- .github/workflows/release.yml | 16 ++++++++-------- .github/workflows/upgrade-cdktf.yml | 4 ++-- .github/workflows/upgrade-main.yml | 8 ++++---- .npmignore | 4 ++++ .projenrc.ts | 15 ++++++++++----- projenrc/auto-approve.ts | 5 +++-- projenrc/automerge.ts | 8 +++++--- 11 files changed, 53 insertions(+), 40 deletions(-) diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index 97990d8..6a115cd 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -2,7 +2,7 @@ name: auto-approve on: - pull_request: + pull_request_target: types: - opened - labeled @@ -17,12 +17,12 @@ jobs: if: contains(github.event.pull_request.labels.*.name, 'auto-approve') && github.event.pull_request.draft == false steps: - name: Checkout PR - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} - name: Auto-approve PRs by other users as team-tf-cdk - if: github.event.pull_request.user.login != 'team-tf-cdk' + if: github.event.pull_request.user.login != 'team-tf-cdk' && (contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) || github.actor == 'dependabot[bot]) env: GH_TOKEN: ${{ secrets.PROJEN_GITHUB_TOKEN }} run: gh pr review ${{ github.event.pull_request.number }} --approve diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index fdf5494..2b285c2 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -2,7 +2,7 @@ name: automerge on: - pull_request: + pull_request_target: types: - opened - labeled @@ -18,8 +18,9 @@ jobs: if: contains(github.event.pull_request.labels.*.name, 'automerge') && github.event.pull_request.draft == false steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 - - name: Turn on automerge for this PR + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 + - name: Turn on automerge for this PR by a trusted user or bot + if: github.event.pull_request.user.login == 'team-tf-cdk' || contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) || github.actor == 'dependabot[bot] env: GH_TOKEN: ${{ secrets.PROJEN_GITHUB_TOKEN }} run: gh pr merge --auto --squash ${{ github.event.pull_request.number }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 10a1ae0..c8d3e46 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,7 +15,7 @@ jobs: CI: "true" steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -34,7 +34,7 @@ jobs: git diff --staged --patch --exit-code > .repo.patch || echo "self_mutation_happened=true" >> $GITHUB_OUTPUT - name: Upload patch if: steps.self_mutation.outputs.self_mutation_happened - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: .repo.patch path: .repo.patch @@ -48,7 +48,7 @@ jobs: run: cd dist && getfacl -R . > permissions-backup.acl continue-on-error: true - name: Upload artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: build-artifact path: dist @@ -60,7 +60,7 @@ jobs: if: always() && needs.build.outputs.self_mutation_happened && !(github.event.pull_request.head.repo.full_name != github.repository) steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: token: ${{ secrets.PROJEN_GITHUB_TOKEN }} ref: ${{ github.event.pull_request.head.ref }} @@ -89,7 +89,7 @@ jobs: permissions: {} if: "! needs.build.outputs.self_mutation_happened" steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - name: Download build artifacts @@ -118,7 +118,7 @@ jobs: with: distribution: temurin java-version: 11.x - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - name: Download build artifacts @@ -143,7 +143,7 @@ jobs: permissions: {} if: "! needs.build.outputs.self_mutation_happened" steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - uses: actions/setup-python@v4 @@ -171,7 +171,7 @@ jobs: permissions: {} if: "! needs.build.outputs.self_mutation_happened" steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - uses: actions/setup-dotnet@v3 @@ -199,7 +199,7 @@ jobs: permissions: {} if: "! needs.build.outputs.self_mutation_happened" steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - uses: actions/setup-go@v3 diff --git a/.github/workflows/pull-request-lint.yml b/.github/workflows/pull-request-lint.yml index a91d10c..b8286be 100644 --- a/.github/workflows/pull-request-lint.yml +++ b/.github/workflows/pull-request-lint.yml @@ -17,7 +17,7 @@ jobs: permissions: pull-requests: write steps: - - uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 + - uses: amannn/action-semantic-pull-request@47b15d52c5c30e94a17ec87eb8dd51ff5221fed9 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c74ee02..7f7e250 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,7 @@ jobs: CI: "true" steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: fetch-depth: 0 - name: Set git identity @@ -43,7 +43,7 @@ jobs: continue-on-error: true - name: Upload artifact if: ${{ steps.git_remote.outputs.latest_commit == github.sha }} - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: build-artifact path: dist @@ -55,7 +55,7 @@ jobs: contents: write if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - name: Download build artifacts @@ -84,7 +84,7 @@ jobs: contents: read if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - name: Download build artifacts @@ -121,7 +121,7 @@ jobs: with: distribution: temurin java-version: 11.x - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - name: Download build artifacts @@ -157,7 +157,7 @@ jobs: contents: read if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - uses: actions/setup-python@v4 @@ -192,7 +192,7 @@ jobs: contents: read if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - uses: actions/setup-dotnet@v3 @@ -226,7 +226,7 @@ jobs: contents: read if: needs.release.outputs.latest_commit == github.sha steps: - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d with: node-version: 18.x - uses: actions/setup-go@v3 diff --git a/.github/workflows/upgrade-cdktf.yml b/.github/workflows/upgrade-cdktf.yml index 2753ff9..d1acb8b 100644 --- a/.github/workflows/upgrade-cdktf.yml +++ b/.github/workflows/upgrade-cdktf.yml @@ -17,7 +17,7 @@ jobs: CHECKPOINT_DISABLE: "1" steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 - name: Install run: yarn install - name: Get current CDKTF version @@ -39,7 +39,7 @@ jobs: run: scripts/update-cdktf.sh ${{ steps.latest_version.outputs.value }} - name: Create draft pull request if: steps.current_version.outputs.short != steps.latest_version.outputs.short - uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 with: commit-message: "chore!: upgrade to cdktf ${{ steps.latest_version.outputs.value }}" branch: auto/upgrade-cdktf-${{ steps.latest_version.outputs.short }} diff --git a/.github/workflows/upgrade-main.yml b/.github/workflows/upgrade-main.yml index f24ec75..d1825c7 100644 --- a/.github/workflows/upgrade-main.yml +++ b/.github/workflows/upgrade-main.yml @@ -15,7 +15,7 @@ jobs: patch_created: ${{ steps.create_patch.outputs.patch_created }} steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: ref: main - name: Install dependencies @@ -29,7 +29,7 @@ jobs: git diff --staged --patch --exit-code > .repo.patch || echo "patch_created=true" >> $GITHUB_OUTPUT - name: Upload patch if: steps.create_patch.outputs.patch_created - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 with: name: .repo.patch path: .repo.patch @@ -42,7 +42,7 @@ jobs: if: ${{ needs.upgrade.outputs.patch_created }} steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 with: ref: main - name: Download patch @@ -58,7 +58,7 @@ jobs: git config user.email "github-team-tf-cdk@hashicorp.com" - name: Create Pull Request id: create-pr - uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 + uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 with: token: ${{ secrets.PROJEN_GITHUB_TOKEN }} commit-message: |- diff --git a/.npmignore b/.npmignore index 83fdd38..b0fc6b7 100644 --- a/.npmignore +++ b/.npmignore @@ -21,3 +21,7 @@ dist tsconfig.tsbuildinfo /.eslintrc.json !.jsii +scripts +projenrc +/.projenrc.ts +.copywrite.hcl diff --git a/.projenrc.ts b/.projenrc.ts index 35862d2..e5d823a 100644 --- a/.projenrc.ts +++ b/.projenrc.ts @@ -12,14 +12,14 @@ import { CustomizedLicense } from "./projenrc/customized-license"; import { UpgradeCDKTF } from "./projenrc/upgrade-cdktf"; const githubActionPinnedVersions = { - "actions/checkout": "c85c95e3d7251135ab7dc9ce3241c5835cc595a9", // v3.5.3 + "actions/checkout": "8ade135a41bc03ea155e62e844d188df1ea18608", // v4.1.0 "actions/download-artifact": "9bc31d5ccc31df68ecc42ccf4149144866c47d8a", // v3.0.2 "actions/github-script": "d7906e4ad0b1822421a7e6a35d5ca353c962f410", // v6.4.1 - "actions/setup-node": "64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c", // v3.6.0 - "actions/upload-artifact": "0b7f8abb1508181956e8e162db84b466c27e18ce", // v3.1.2 + "actions/setup-node": "5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d", // v3.8.1 + "actions/upload-artifact": "a8a3f3ad30e3422c9c7b888a15615d19a852ae32", // v3.1.3 "amannn/action-semantic-pull-request": - "c3cd5d1ea3580753008872425915e343e351ab54", // v5.2.0 - "peter-evans/create-pull-request": "284f54f989303d2699d373481a0cfa13ad5a6666", // v5.0.1 + "47b15d52c5c30e94a17ec87eb8dd51ff5221fed9", // v5.3.0 + "peter-evans/create-pull-request": "153407881ec5c347639a548ade7d8ad1d6740e38", // v5.0.2 }; const project = new ConstructLibraryCdktf({ @@ -93,6 +93,11 @@ new JsiiDocgen(project, { project.jest?.addIgnorePattern("dist"); project.addKeywords("cdktf", "terraform"); +project.addPackageIgnore("scripts"); +project.addPackageIgnore("projenrc"); +project.addPackageIgnore("/.projenrc.ts"); + +project.addPackageIgnore(".copywrite.hcl"); // Run copywrite tool to add copyright headers to all files project.buildWorkflow?.addPostBuildSteps( { diff --git a/projenrc/auto-approve.ts b/projenrc/auto-approve.ts index 89591a7..388c6db 100644 --- a/projenrc/auto-approve.ts +++ b/projenrc/auto-approve.ts @@ -16,11 +16,12 @@ export class AutoApprove { if (!workflow) throw new Error("no workflow defined"); workflow.on({ - pullRequest: { + pullRequestTarget: { types: ["opened", "labeled", "ready_for_review", "reopened"], }, }); + const maintainerStatuses = `fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]')`; workflow.addJobs({ approve: { runsOn: ["ubuntu-latest"], @@ -37,7 +38,7 @@ export class AutoApprove { }, { name: "Auto-approve PRs by other users as team-tf-cdk", - if: "github.event.pull_request.user.login != 'team-tf-cdk'", + if: `github.event.pull_request.user.login != 'team-tf-cdk' && (contains(${maintainerStatuses}, github.event.pull_request.author_association) || github.actor == 'dependabot[bot])`, run: "gh pr review ${{ github.event.pull_request.number }} --approve", env: { GH_TOKEN: "${{ secrets.PROJEN_GITHUB_TOKEN }}", diff --git a/projenrc/automerge.ts b/projenrc/automerge.ts index a7700fb..cf353d2 100644 --- a/projenrc/automerge.ts +++ b/projenrc/automerge.ts @@ -7,7 +7,7 @@ import { javascript } from "projen"; import { JobPermission } from "projen/lib/github/workflows-model"; /** - * Merges PRs with the "automerge" label + * Enables GitHub's built-in automerge for PRs with the "automerge" label */ export class Automerge { constructor(project: javascript.NodeProject) { @@ -16,7 +16,7 @@ export class Automerge { if (!workflow) throw new Error("no workflow defined"); workflow.on({ - pullRequest: { + pullRequestTarget: { types: [ "opened", "labeled", @@ -29,6 +29,7 @@ export class Automerge { (workflow.concurrency as any) = "${{ github.workflow }}-${{ github.ref }}"; + const maintainerStatuses = `fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]')`; workflow.addJobs({ automerge: { runsOn: ["ubuntu-latest"], @@ -39,7 +40,8 @@ export class Automerge { uses: "actions/checkout@v3", }, { - name: "Turn on automerge for this PR", + name: "Turn on automerge for this PR by a trusted user or bot", + if: `github.event.pull_request.user.login == 'team-tf-cdk' || contains(${maintainerStatuses}, github.event.pull_request.author_association) || github.actor == 'dependabot[bot]`, run: "gh pr merge --auto --squash ${{ github.event.pull_request.number }}", env: { GH_TOKEN: "${{ secrets.PROJEN_GITHUB_TOKEN }}",