From bd14eed0c6df3d0f80ef0261905f3ab3b100f5a4 Mon Sep 17 00:00:00 2001 From: Frederic BIDON Date: Wed, 31 Jan 2024 12:03:59 +0100 Subject: [PATCH 1/2] ci(dependencies): automate dependencies updates Signed-off-by: Frederic BIDON --- .github/dependabot.yaml | 57 ++++++++++++++++++++++++++++++++ .github/workflows/auto-merge.yml | 43 ++++++++++++++++++++++++ .github/workflows/go-test.yml | 8 ++--- 3 files changed, 104 insertions(+), 4 deletions(-) create mode 100644 .github/dependabot.yaml create mode 100644 .github/workflows/auto-merge.yml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..d53b535 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,57 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "friday" + open-pull-requests-limit: 2 # <- default is 5 + groups: # <- group all github actions updates in a single PR + # 1. development-dependencies are auto-merged + development-dependencies: + dependency-type: development + patterns: + - '*' + + - package-ecosystem: "gomod" + # We define 4 groups of dependencies to regroup update pull requests: + # - development (e.g. test dependencies) + # - go-openapi updates + # - golang.org (e.g. golang.org/x/... packages) + # - other dependencies (direct or indirect) + # + # * All groups are checked once a week and each produce at most 1 PR. + # * All dependabot PRs are auto-approved + # + # Auto-merging policy, when requirements are met: + # 1. development-dependencies are auto-merged + # 2. golang.org-dependencies are auto-merged + # 3. go-openapi patch updates are auto-merged. Minor/major version updates require a manual merge. + # 4. other dependencies require a manual merge + directory: "/" + schedule: + interval: "weekly" + day: "friday" + open-pull-requests-limit: 4 + groups: + development-dependencies: + dependency-type: development + patterns: + - "github.com/stretchr/testify" + + golang.org-dependencies: + dependency-type: production + patterns: + - "golang.org/*" + + go-openapi-dependencies: + dependency-type: production + patterns: + - "github.com/go-openapi/*" + + other-dependencies: + dependency-type: production + exclude-patterns: + - "github.com/go-openapi/*" + - "github.com/stretchr/testify" + - "golang.org/*" diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml new file mode 100644 index 0000000..7ec23aa --- /dev/null +++ b/.github/workflows/auto-merge.yml @@ -0,0 +1,43 @@ +name: Dependabot auto-merge +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v1 + + - name: Auto-approve all dependabot PRs + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + + - name: Auto-merge dependabot PRs for development dependencies + if: contains(steps.metadata.outputs.dependency-group, 'development-dependencies') + run: gh pr merge --auto --rebase "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + + - name: Auto-merge dependabot PRs for go-openapi patches + if: contains(steps.metadata.outputs.dependency-group, 'go-openapi-dependencies') && steps.metadata.outputs.update-type == 'version-update:semver-patch' + run: gh pr merge --auto --rebase "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + + - name: Auto-merge dependabot PRs for golang.org updates + if: contains(steps.metadata.outputs.dependency-group, 'golang.org-dependencies') + run: gh pr merge --auto --rebase "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml index 62682bf..728b9e5 100644 --- a/.github/workflows/go-test.yml +++ b/.github/workflows/go-test.yml @@ -7,8 +7,8 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v4 + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 with: go-version: stable check-latest: true @@ -31,13 +31,13 @@ jobs: steps: - name: Run unit tests - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: go-version: '${{ matrix.go_version }}' check-latest: true cache: true - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - run: go test -v -race -coverprofile="coverage-${{ matrix.os }}.${{ matrix.go_version }}.out" -covermode=atomic -coverpkg=$(go list)/... ./... From 980264585ad65869505b673cb3df1702ec4400ca Mon Sep 17 00:00:00 2001 From: Frederic BIDON Date: Wed, 31 Jan 2024 13:23:31 +0100 Subject: [PATCH 2/2] ci: auto-merge dependabot PRs * enabled auto-merge for go-openapi minor version bumps, not just patches Signed-off-by: Frederic BIDON --- .github/workflows/auto-merge.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 7ec23aa..b4009db 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -28,7 +28,7 @@ jobs: GH_TOKEN: ${{secrets.GITHUB_TOKEN}} - name: Auto-merge dependabot PRs for go-openapi patches - if: contains(steps.metadata.outputs.dependency-group, 'go-openapi-dependencies') && steps.metadata.outputs.update-type == 'version-update:semver-patch' + if: contains(steps.metadata.outputs.dependency-group, 'go-openapi-dependencies') && (steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch') run: gh pr merge --auto --rebase "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}}