From c3ae973080bcb0ae0a977d2a9a0c2c2dacac16ec Mon Sep 17 00:00:00 2001 From: Salah Al Saleh Date: Tue, 2 Jan 2024 16:26:49 +0000 Subject: [PATCH 1/6] Abiltiy to run tests in Dependabot PRs and auto approve/merge --- .github/dependabot.yml | 36 ++++--------------------------- .github/workflows/build-test.yaml | 30 ++++++++++++++------------ 2 files changed, 20 insertions(+), 46 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f0a589995c..cbd25937cd 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,6 +11,7 @@ updates: labels: - "dependabot" - "javascript" + - "type::security" ## Go mod @@ -19,18 +20,18 @@ updates: schedule: interval: "daily" labels: - - "@actions/safe-to-test" - "dependabot" - "go" + - "type::security" - package-ecosystem: "gomod" directory: "/kurl_proxy" schedule: interval: "daily" labels: - - "@actions/safe-to-test" - "dependabot" - "go" + - "type::security" ## GitHub Actions @@ -39,35 +40,6 @@ updates: schedule: interval: "weekly" labels: - - "@actions/safe-to-test" - "dependabot" - "github-actions" - - ## Dockerfiles - - - package-ecosystem: "docker" - directory: "/deploy" - schedule: - interval: "weekly" - labels: - - "@actions/safe-to-test" - - "dependabot" - - "docker" - - - package-ecosystem: "docker" - directory: "/kurl_proxy/deploy" - schedule: - interval: "weekly" - labels: - - "@actions/safe-to-test" - - "dependabot" - - "docker" - - - package-ecosystem: "docker" - directory: "/migrations/deploy" - schedule: - interval: "weekly" - labels: - - "@actions/safe-to-test" - - "dependabot" - - "docker" + - "type::security" diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 78406fd85f..9a2330d2eb 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -15,8 +15,8 @@ jobs: can-run-ci: runs-on: ubuntu-20.04 # if the event is pull_request and: - # - it is not a fork OR it is from the dependabot - # - Then must have the label '@actions/safe-to-test' + # - it is not a fork OR + # - it has the label '@actions/safe-to-test' # # The 'pull_request_target' workflow trigger may lead to malicious PR authors being able to obtain repository write permissions or stealing repository secrets. # Please read https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ @@ -51,18 +51,6 @@ jobs: uses: ./.github/actions/version-tag - test-okteto-env: - runs-on: ubuntu-latest - needs: [ can-run-ci ] - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Test Okteto development environment - uses: replicatedhq/action-okteto-test@main - with: - token: ${{ secrets.OKTETO_TOKEN }} - branch: ${{ github.head_ref }} - deps-web: runs-on: ubuntu-20.04 needs: [ can-run-ci ] @@ -3960,3 +3948,17 @@ jobs: - name: succeed if validate-pr-tests job succeeded if: needs.validate-pr-tests.result == 'success' run: echo "Validation succeeded" + + dependabot: + runs-on: ubuntu-20.04 + needs: [ validate-success ] + if: github.actor == 'dependabot[bot]' + steps: + - name: Approve PR + run: gh pr review --approve ${{ github.event.pull_request.html_url }} --comment "LGTM :thumbsup:" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Merge PR + run: gh pr merge --auto --squash ${{ github.event.pull_request.html_url }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From ab28ebd7259b5094bef0a3a6f45a17811fa945a3 Mon Sep 17 00:00:00 2001 From: Salah Al Saleh Date: Tue, 2 Jan 2024 16:33:18 +0000 Subject: [PATCH 2/6] refactor dependabot job --- .github/workflows/build-test.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 9a2330d2eb..afbd457480 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -3954,11 +3954,9 @@ jobs: needs: [ validate-success ] if: github.actor == 'dependabot[bot]' steps: - - name: Approve PR - run: gh pr review --approve ${{ github.event.pull_request.html_url }} --comment "LGTM :thumbsup:" - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Merge PR - run: gh pr merge --auto --squash ${{ github.event.pull_request.html_url }} + - name: Approve & Merge PR env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh pr review --approve ${{ github.event.pull_request.html_url }} --comment "LGTM :thumbsup:" + gh pr merge --auto --squash ${{ github.event.pull_request.html_url }} From f2d7e40b8b3a9f3e8bc14e44dd450cd59f4a0d0e Mon Sep 17 00:00:00 2001 From: Salah Al Saleh Date: Tue, 2 Jan 2024 16:44:36 +0000 Subject: [PATCH 3/6] assign permissions to dependabot job --- .github/workflows/build-test.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index afbd457480..64eb6810af 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -3952,6 +3952,9 @@ jobs: dependabot: runs-on: ubuntu-20.04 needs: [ validate-success ] + permissions: + contents: write + pull-requests: write if: github.actor == 'dependabot[bot]' steps: - name: Approve & Merge PR From 3e4094ac2b7920d7e020ce94f8065a956358a5c3 Mon Sep 17 00:00:00 2001 From: Salah Al Saleh Date: Tue, 2 Jan 2024 16:45:12 +0000 Subject: [PATCH 4/6] refactor --- .github/workflows/build-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 64eb6810af..384b22c42a 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -3952,10 +3952,10 @@ jobs: dependabot: runs-on: ubuntu-20.04 needs: [ validate-success ] + if: github.actor == 'dependabot[bot]' permissions: contents: write pull-requests: write - if: github.actor == 'dependabot[bot]' steps: - name: Approve & Merge PR env: From 9bbaf366338ca83c7cfb06b25b4135b034a5ec3c Mon Sep 17 00:00:00 2001 From: Salah Al Saleh Date: Tue, 2 Jan 2024 16:48:43 +0000 Subject: [PATCH 5/6] use author instead of actor --- .github/workflows/build-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 384b22c42a..2c5fa91471 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -3952,7 +3952,7 @@ jobs: dependabot: runs-on: ubuntu-20.04 needs: [ validate-success ] - if: github.actor == 'dependabot[bot]' + if: github.author == 'dependabot' permissions: contents: write pull-requests: write From 7b670b252ddbb085b551d4bfb15f90aa0fd56e68 Mon Sep 17 00:00:00 2001 From: Salah Al Saleh Date: Tue, 2 Jan 2024 17:08:55 +0000 Subject: [PATCH 6/6] actor not author --- .github/workflows/build-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 2c5fa91471..384b22c42a 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -3952,7 +3952,7 @@ jobs: dependabot: runs-on: ubuntu-20.04 needs: [ validate-success ] - if: github.author == 'dependabot' + if: github.actor == 'dependabot[bot]' permissions: contents: write pull-requests: write