From d8033c5ed210bd7ea77194fe0a3a4a302668152f Mon Sep 17 00:00:00 2001 From: Jonny Cyr Date: Wed, 29 Nov 2023 16:35:32 -0500 Subject: [PATCH 1/2] SCSZ-1622 added auto merge support --- .github/workflows/dependabot-prs.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-prs.yml b/.github/workflows/dependabot-prs.yml index 31a7bac..bae662f 100644 --- a/.github/workflows/dependabot-prs.yml +++ b/.github/workflows/dependabot-prs.yml @@ -17,7 +17,10 @@ jobs: # a) it has the `development-dependencies` label, which we add for certain # categories of PRs (see `.github/dependabot.yml`), OR # b) Dependabot has categorized it as a `direct:development` dependency, - # meaning it's in the Gemfile in a `development` or `test` group + # meaning it's in the Gemfile in a `development` or `test` group, OR + # c) our scripts have flagged the PR as an automergeable dependency (i.e + # a stable dependency with good unit test coverage) that has passed + # the waiting period. # # Note that we also do nothing when the PR has already had auto-merge # enabled, to prevent scenarios where this check runs many times (for @@ -25,7 +28,7 @@ jobs: # other PRs are merging and causing this to rebase and trigger another # run) and then approves the PR many times, which is confusing and looks # awkward. - if: ${{ !github.event.pull_request.auto_merge && (contains(github.event.pull_request.labels.*.name, 'development-dependencies') || steps.dependabot-metadata.outputs.dependency-type == 'direct:development') }} + if: ${{ (github.actor == 'dependabot[bot]' || github.actor == 'panorama-bot-r') && steps.unique-committers.outputs.committers == '["dependabot[bot]"]' && !github.event.pull_request.auto_merge && (contains(github.event.pull_request.labels.*.name, 'development-dependencies') || steps.dependabot-metadata.outputs.dependency-type == 'direct:development' || contains(github.event.pull_request.labels.*.name, 'automerge-dependencies')) }} run: gh pr merge --auto --merge "$PR_URL" && gh pr edit "$PR_URL" --remove-label "Needs QA" && gh pr review --approve "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} From 7dc2f43feb73cf2abf9c7e2ba6dc634c3dbf0297 Mon Sep 17 00:00:00 2001 From: Jonny Cyr Date: Thu, 30 Nov 2023 13:25:39 -0500 Subject: [PATCH 2/2] SCSZ-1622 updated to use newest dep conifg --- .github/workflows/dependabot-prs.yml | 76 ++++++++++++++++++---------- 1 file changed, 49 insertions(+), 27 deletions(-) diff --git a/.github/workflows/dependabot-prs.yml b/.github/workflows/dependabot-prs.yml index bae662f..a43af8c 100644 --- a/.github/workflows/dependabot-prs.yml +++ b/.github/workflows/dependabot-prs.yml @@ -4,32 +4,54 @@ on: types: [opened, synchronize, reopened, labeled] jobs: build: + if: startsWith(github.head_ref, 'dependabot/') runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} steps: - - name: Fetch Dependabot metadata - id: dependabot-metadata - uses: dependabot/fetch-metadata@v1.1.0 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - - name: Approve and merge Dependabot PRs for development dependencies - # Auto-merge the PR if either: - # a) it has the `development-dependencies` label, which we add for certain - # categories of PRs (see `.github/dependabot.yml`), OR - # b) Dependabot has categorized it as a `direct:development` dependency, - # meaning it's in the Gemfile in a `development` or `test` group, OR - # c) our scripts have flagged the PR as an automergeable dependency (i.e - # a stable dependency with good unit test coverage) that has passed - # the waiting period. - # - # Note that we also do nothing when the PR has already had auto-merge - # enabled, to prevent scenarios where this check runs many times (for - # instance, because removing `Needs QA` triggers another run, or because - # other PRs are merging and causing this to rebase and trigger another - # run) and then approves the PR many times, which is confusing and looks - # awkward. - if: ${{ (github.actor == 'dependabot[bot]' || github.actor == 'panorama-bot-r') && steps.unique-committers.outputs.committers == '["dependabot[bot]"]' && !github.event.pull_request.auto_merge && (contains(github.event.pull_request.labels.*.name, 'development-dependencies') || steps.dependabot-metadata.outputs.dependency-type == 'direct:development' || contains(github.event.pull_request.labels.*.name, 'automerge-dependencies')) }} - run: gh pr merge --auto --merge "$PR_URL" && gh pr edit "$PR_URL" --remove-label "Needs QA" && gh pr review --approve "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}} + - name: Get unique committers + id: unique-committers + run: echo "::set-output name=committers::$(gh pr view $PR_URL --json commits --jq '[.commits.[] | .authors.[] | .login] | unique')" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}} + # The last step enables auto-merge in certain situations, but we don't want dependabots that require + # additional work to accidentally get merged before code review so we turn it off here. + - name: Disable auto-merge if there are commits from someone other than Dependabot + if: steps.unique-committers.outputs.committers != '["dependabot[bot]"]' + run: gh pr merge --disable-auto --merge "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}} + - name: Add the Needs QA label to dependabots after any change by someone other than the dependabot bot + # Need to avoid the situation where someone removes the "Needs QA" label and we are adding it back. + if: ${{ github.actor != 'dependabot[bot]' && github.event.action != 'labeled' }} + run: gh pr edit "$PR_URL" --add-label "Needs QA" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}} + - name: Fetch Dependabot metadata + if: ${{ github.actor == 'dependabot[bot]' }} + id: dependabot-metadata + uses: dependabot/fetch-metadata@v1.1.0 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Approve and merge Dependabot PRs for development dependencies + # Auto-merge the PR if either: + # a) it has the `development-dependencies` label, which we add for certain + # categories of PRs (see `.github/dependabot.yml`), OR + # b) Dependabot has categorized it as a `direct:development` dependency, + # meaning it's in the Gemfile in a `development` or `test` group, OR + # c) our scripts have flagged the PR as an automergeable dependency (i.e + # a stable dependency with good unit test coverage) that has passed + # the waiting period. + # + # Note that we also do nothing when the PR has already had auto-merge + # enabled, to prevent scenarios where this check runs many times (for + # instance, because removing `Needs QA` triggers another run, or because + # other PRs are merging and causing this to rebase and trigger another + # run) and then approves the PR many times, which is confusing and looks + # awkward. + if: ${{ (github.actor == 'dependabot[bot]' || github.actor == 'panorama-bot-r') && steps.unique-committers.outputs.committers == '["dependabot[bot]"]' && !github.event.pull_request.auto_merge && (contains(github.event.pull_request.labels.*.name, 'development-dependencies') || steps.dependabot-metadata.outputs.dependency-type == 'direct:development' || contains(github.event.pull_request.labels.*.name, 'automerge-dependencies')) }} + run: gh pr merge --auto --merge "$PR_URL" && gh pr edit "$PR_URL" --remove-label "Needs QA" && gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}}