From 637820e132a5ac10d8238fc080f5a8441afba2ac Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Wed, 5 Feb 2025 12:56:25 +0100 Subject: [PATCH 1/7] Automatically update Dependabot pull requests --- .github/workflows/update-pull-request.yml | 37 ++++++++++++++++++----- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/.github/workflows/update-pull-request.yml b/.github/workflows/update-pull-request.yml index 3b8ced51f6..081030db68 100644 --- a/.github/workflows/update-pull-request.yml +++ b/.github/workflows/update-pull-request.yml @@ -4,8 +4,23 @@ on: issue_comment: types: - created + pull_request: + types: + - opened + - synchronize jobs: + is-dependabot: + name: Determine whether this pull request was opened by Dependabot + if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'MetaMask/snaps' }} + runs-on: ubuntu-latest + outputs: + IS_DEPENDABOT: ${{ steps.is-dependabot.outputs.IS_DEPENDABOT }} + steps: + - name: Determine whether this PR was opened by Dependabot + id: is-dependabot + run: echo "IS_DEPENDABOT=true" >> "$GITHUB_OUTPUT" + is-fork-pull-request: name: Determine whether this issue comment was on a pull request from a fork if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-pr') }} @@ -24,9 +39,11 @@ jobs: react-to-comment: name: React to the comment runs-on: ubuntu-latest - needs: is-fork-pull-request + needs: + - is-fork-pull-request + - is-dependabot # Early exit if this is a fork, since later steps are skipped for forks. - if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} + if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' && needs.is-dependabot.outputs.IS_DEPENDABOT != 'true' }} steps: - name: Checkout repository uses: actions/checkout@v4 @@ -46,9 +63,11 @@ jobs: prepare: name: Prepare dependencies runs-on: ubuntu-latest - needs: is-fork-pull-request + needs: + - is-fork-pull-request + - is-dependabot # Early exit if this is a fork, since later steps are skipped for forks. - if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} + if: ${{ needs.is-dependabot.outputs.IS_DEPENDABOT == 'true' || needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} outputs: COMMIT_SHA: ${{ steps.commit-sha.outputs.COMMIT_SHA }} steps: @@ -174,6 +193,7 @@ jobs: name: Commit result runs-on: ubuntu-latest needs: + - is-dependabot - prepare - dedupe-yarn-lock - regenerate-lavamoat-policies @@ -203,10 +223,13 @@ jobs: path: yarn.lock key: cache-yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} fail-on-cache-miss: true + - name: Set commit prefix + if: ${{ needs.is-dependabot.outputs.IS_DEPENDABOT == 'true' }} + run: echo "COMMIT_PREFIX='[dependabot skip] '" >> "$GITHUB_ENV" - name: Commit yarn.lock run: | git add yarn.lock - git commit -m "Deduplicate yarn.lock" || true + git commit -m "${COMMIT_PREFIX}Deduplicate yarn.lock" || true - name: Restore LavaMoat policies uses: actions/cache/restore@v4 with: @@ -216,7 +239,7 @@ jobs: - name: Commit LavaMoat policies run: | git add packages/snaps-execution-environments/lavamoat - git commit -m "Update LavaMoat policies" || true + git commit -m "${COMMIT_PREFIX}Update LavaMoat policies" || true - name: Restore examples uses: actions/cache/restore@v4 with: @@ -226,6 +249,6 @@ jobs: - name: Commit examples run: | git add packages/examples/packages - git commit -m "Update example snaps" || true + git commit -m "${COMMIT_PREFIX}Update example snaps" || true - name: Push changes run: git push From 06b5ec35bd521072e05d56d61a5b0f59cc17ace6 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Wed, 5 Feb 2025 13:07:52 +0100 Subject: [PATCH 2/7] Call workflow from main workflow --- .github/workflows/main.yml | 7 ++++++ .github/workflows/update-pull-request.yml | 26 ++++++++--------------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f873494c4d..b0100fa245 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,6 +20,13 @@ jobs: run: ${{ steps.download-actionlint.outputs.executable }} -color shell: bash + update-pull-request: + name: Update pull request + if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' }} + uses: ./.github/workflows/update-pull-request.yml + with: + dependabot: true + lint-build-test: name: Build, lint, and test needs: check-workflows diff --git a/.github/workflows/update-pull-request.yml b/.github/workflows/update-pull-request.yml index 081030db68..dc2804249c 100644 --- a/.github/workflows/update-pull-request.yml +++ b/.github/workflows/update-pull-request.yml @@ -4,23 +4,18 @@ on: issue_comment: types: - created + workflow_call: + inputs: + dependabot: + type: boolean + required: false + default: false pull_request: types: - opened - synchronize jobs: - is-dependabot: - name: Determine whether this pull request was opened by Dependabot - if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'MetaMask/snaps' }} - runs-on: ubuntu-latest - outputs: - IS_DEPENDABOT: ${{ steps.is-dependabot.outputs.IS_DEPENDABOT }} - steps: - - name: Determine whether this PR was opened by Dependabot - id: is-dependabot - run: echo "IS_DEPENDABOT=true" >> "$GITHUB_OUTPUT" - is-fork-pull-request: name: Determine whether this issue comment was on a pull request from a fork if: ${{ github.event.issue.pull_request && startsWith(github.event.comment.body, '@metamaskbot update-pr') }} @@ -41,9 +36,8 @@ jobs: runs-on: ubuntu-latest needs: - is-fork-pull-request - - is-dependabot # Early exit if this is a fork, since later steps are skipped for forks. - if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' && needs.is-dependabot.outputs.IS_DEPENDABOT != 'true' }} + if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' && inputs.dependabot == false }} steps: - name: Checkout repository uses: actions/checkout@v4 @@ -65,9 +59,8 @@ jobs: runs-on: ubuntu-latest needs: - is-fork-pull-request - - is-dependabot # Early exit if this is a fork, since later steps are skipped for forks. - if: ${{ needs.is-dependabot.outputs.IS_DEPENDABOT == 'true' || needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} + if: ${{ needs.is-fork-pull-request.outputs.IS_FORK == 'false' }} outputs: COMMIT_SHA: ${{ steps.commit-sha.outputs.COMMIT_SHA }} steps: @@ -193,7 +186,6 @@ jobs: name: Commit result runs-on: ubuntu-latest needs: - - is-dependabot - prepare - dedupe-yarn-lock - regenerate-lavamoat-policies @@ -224,7 +216,7 @@ jobs: key: cache-yarn-lock-${{ needs.prepare.outputs.COMMIT_SHA }} fail-on-cache-miss: true - name: Set commit prefix - if: ${{ needs.is-dependabot.outputs.IS_DEPENDABOT == 'true' }} + if: ${{ inputs.dependabot == true }} run: echo "COMMIT_PREFIX='[dependabot skip] '" >> "$GITHUB_ENV" - name: Commit yarn.lock run: | From 2eeada3bc33e9d5327a9242854d3ca762c099326 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Wed, 5 Feb 2025 13:08:07 +0100 Subject: [PATCH 3/7] Remove pull request trigger --- .github/workflows/update-pull-request.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/update-pull-request.yml b/.github/workflows/update-pull-request.yml index dc2804249c..18e028f2c8 100644 --- a/.github/workflows/update-pull-request.yml +++ b/.github/workflows/update-pull-request.yml @@ -10,10 +10,6 @@ on: type: boolean required: false default: false - pull_request: - types: - - opened - - synchronize jobs: is-fork-pull-request: From 5787d193874cc5c28d304259200aba29b3cb4ee8 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Wed, 5 Feb 2025 13:18:44 +0100 Subject: [PATCH 4/7] Forward secrets --- .github/workflows/main.yml | 3 +++ .github/workflows/update-pull-request.yml | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b0100fa245..602464d7c4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -26,6 +26,9 @@ jobs: uses: ./.github/workflows/update-pull-request.yml with: dependabot: true + secrets: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PULL_REQUEST_UPDATE_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} lint-build-test: name: Build, lint, and test diff --git a/.github/workflows/update-pull-request.yml b/.github/workflows/update-pull-request.yml index 18e028f2c8..6a426f6082 100644 --- a/.github/workflows/update-pull-request.yml +++ b/.github/workflows/update-pull-request.yml @@ -5,6 +5,11 @@ on: types: - created workflow_call: + secrets: + GITHUB_TOKEN: + required: true + PULL_REQUEST_UPDATE_TOKEN: + required: true inputs: dependabot: type: boolean From 4674c171bc0b356187f7d3e55e1e08a0a00a6e6f Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Wed, 5 Feb 2025 13:19:08 +0100 Subject: [PATCH 5/7] Add check-workflows as need --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 602464d7c4..7787ab6e80 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,6 +22,7 @@ jobs: update-pull-request: name: Update pull request + needs: check-workflows if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' }} uses: ./.github/workflows/update-pull-request.yml with: From c6a515a45ba99ce5ac111df5d0e97cd301a177c9 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Wed, 5 Feb 2025 13:36:00 +0100 Subject: [PATCH 6/7] Remove GITHUB_TOKEN secret --- .github/workflows/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7787ab6e80..4f9b85bc87 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -28,7 +28,6 @@ jobs: with: dependabot: true secrets: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PULL_REQUEST_UPDATE_TOKEN: ${{ secrets.PULL_REQUEST_UPDATE_TOKEN }} lint-build-test: From 1057c837033fca3e1c5e610fddd6a36a41ed1313 Mon Sep 17 00:00:00 2001 From: Maarten Zuidhoorn Date: Wed, 5 Feb 2025 13:36:33 +0100 Subject: [PATCH 7/7] Remove GITHUB_TOKEN secret from workflow_call secrets as well --- .github/workflows/update-pull-request.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/update-pull-request.yml b/.github/workflows/update-pull-request.yml index 6a426f6082..cca892db0a 100644 --- a/.github/workflows/update-pull-request.yml +++ b/.github/workflows/update-pull-request.yml @@ -6,8 +6,6 @@ on: - created workflow_call: secrets: - GITHUB_TOKEN: - required: true PULL_REQUEST_UPDATE_TOKEN: required: true inputs: