ci(workflows): dependabot-auto-fix

Signed-off-by: Lexus Drumgold <unicornware@flexdevelopment.llc>

Author: unicornware

.github/workflows/dependabot-auto-fix.yml

@@ -0,0 +1,87 @@
+# Dependabot Auto Fix
+#
+# @dependabot generates Yarn v1 lockfiles even though this project uses a different version of Yarn.
+# This corrupts the project lockfile in such a way that a new file must be generated. This workflow
+# fixes lockfile format and deduplicates dependencies.
+#
+# Check https://github.com/dependabot/dependabot-core/issues/1297 for details pertaining to the safe
+# removal of this workflow.
+#
+# References:
+#
+# - https://cli.github.com/manual/gh_pr_review
+# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push
+# - https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
+# - https://github.com/actions/checkout
+# - https://github.com/crazy-max/ghaction-import-gpg
+# - https://github.com/dependabot/fetch-metadata
+# - https://github.com/hmarr/debug-action
+
+---
+name: dependabot-auto-fix
+on:
+ push:
+ branches:
+ - dependabot/npm_and_yarn/**
+env:
+ GITHUB_TOKEN: ${{ secrets.PAT_DEPENDABOT }}
+ YARN_ENABLE_IMMUTABLE_INSTALLS: false
+jobs:
+ dependabot-auto-fix:
+ if: github.actor == 'dependabot[bot]'
+ runs-on: ubuntu-latest
+ steps:
+ - id: debug
+ name: Print environment variables and event payload
+ uses: hmarr/debug-action@v2.0.1
+ - id: metadata
+ name: Fetch metadata
+ uses: dependabot/fetch-metadata@v1.3.3
+ with:
+ skip-commit-verification: true
+ - id: checkout
+ name: Checkout ${{ github.head_ref }}
+ uses: actions/checkout@v3.0.2
+ with:
+ ref: ${{ github.head_ref }}
+ token: ${{ env.GITHUB_TOKEN }}
+ - id: gpg-import
+ name: Import GPG key
+ uses: crazy-max/ghaction-import-gpg@v5.1.0
+ with:
+ git_commit_gpgsign: true
+ git_config_global: true
+ git_user_signingkey: true
+ gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+ # todo: remove when https://github.com/crazy-max/ghaction-import-gpg/issues/118 is resolved
+ - id: gpg-trust
+ name: Set trust on GPG key
+ run: |
+ gpg --no-tty --command-fd 0 --edit-key ${{ steps.gpg-import.outputs.keyid }} << EOTRUST
+ trust
+ 5
+ y
+ quit
+ EOTRUST
+ - id: lockfile-fix
+ name: Fix yarn.lock
+ run: yarn --mode=update-lockfile
+ - id: dedupe
+ name: Deduplicate dependencies
+ run: yarn dedupe --mode=update-lockfile
+ - id: lockfile-push
+ name: Push yarn.lock
+ run: |
+ git add yarn.lock
+ git status
+ git diff-index --quiet HEAD || git commit -m "$COMMIT_MESSAGE" && git push -f
+ env:
+ GIT_AUTHOR_EMAIL: ${{ steps.gpg-import.outputs.email }}
+ GIT_AUTHOR_NAME: ${{ steps.gpg-import.outputs.name }}
+ GIT_COMMITTER_EMAIL: ${{ steps.gpg-import.outputs.email }}
+ GIT_COMMITTER_NAME: ${{ steps.gpg-import.outputs.name }}
+ COMMIT_MESSAGE: '[dependabot skip] fix lockfile for @dependabot'
+ - id: approve-pr
+ name: Approve pull request
+ if: steps.metadata.outputs.update-type != 'version-update:semver-major'
+ run: gh pr review ${{ github.event.number }} --approve

.github/workflows/dependabot-auto.yml

@@ -2,20 +2,13 @@
 #
 # Automatically approve Dependabot pull requests and enable auto-merge.
 #
-# Note: @dependabot generates Yarn v1 lockfiles despite this project using a different Yarn version.
-# This breaks the project lockfile. A workaround has been implemented to autofix lockfiles and
-# deduplicate dependencies. See https://github.com/dependabot/dependabot-core/issues/1297 to check
-# if the workaround is safe to remove.
-#
 # References:
 #
 # - https://cli.github.com/manual/gh_pr_merge
 # - https://cli.github.com/manual/gh_pr_review
 # - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
 # - https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
 # - https://github.com/actions/checkout
-# - https://github.com/actions/setup-node
-# - https://github.com/crazy-max/ghaction-import-gpg
 # - https://github.com/dependabot/fetch-metadata
 # - https://github.com/hmarr/debug-action
 
@@ -42,52 +35,13 @@ jobs:
  name: Checkout ${{ github.head_ref }}
  uses: actions/checkout@v3.0.2
  with:
- persist-credentials: ${{ steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
  ref: ${{ github.head_ref }}
  token: ${{ env.GITHUB_TOKEN }}
- - id: gpg-import
- name: Import GPG key
- if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
- uses: crazy-max/ghaction-import-gpg@v5.1.0
- with:
- git_commit_gpgsign: true
- git_config_global: true
- git_user_signingkey: true
- gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
- # todo: remove when https://github.com/crazy-max/ghaction-import-gpg/issues/118 is resolved
- - id: gpg-trust
- name: Set trust on GPG key
- if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
- run: |
- gpg --no-tty --command-fd 0 --edit-key ${{ steps.gpg-import.outputs.keyid }} << EOTRUST
- trust
- 5
- y
- quit
- EOTRUST
- - id: lockfile-fix
- name: Fix yarn.lock
- if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
- run: yarn --mode=update-lockfile
- - id: dedupe
- name: Deduplicate dependencies
- if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
- run: yarn dedupe --mode=update-lockfile
- - id: lockfile-push
- name: Push yarn.lock
- if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
- run: |
- git add yarn.lock
- git status
- git diff-index --quiet HEAD || git commit -m "$COMMIT_MESSAGE" && git push -f
- env:
- GIT_AUTHOR_EMAIL: ${{ steps.gpg-import.outputs.email }}
- GIT_AUTHOR_NAME: ${{ steps.gpg-import.outputs.name }}
- GIT_COMMITTER_EMAIL: ${{ steps.gpg-import.outputs.email }}
- GIT_COMMITTER_NAME: ${{ steps.gpg-import.outputs.name }}
- COMMIT_MESSAGE: '[dependabot skip] chore(yarn): fix lockfile for @dependabot'
  - id: approve-pr
  name: Approve pull request
+ if: |
+ steps.metadata.outputs.package-ecosystem == 'github_actions' ||
+ steps.metadata.outputs.update-type != 'version-update:semver-major'
  run: gh pr review ${{ github.event.number }} --approve
  - id: enable-auto-merge
  name: Enable auto-merge