feat: add process-dependabot-reusable workflow (Bash-based alternative)
#419
Conversation
…ive) This PR introduces a **reusable GitHub Actions workflow**, `process-dependabot-reusable`, designed to streamline the handling of Dependabot pull requests across repositories — implemented entirely with **shell scripts**. This serves as a Bash-based alternative to #418, which uses TypeScript. ### 🔄 Key Differences from #418 * **Trigger**: Runs on `pull_request_target` (not `push`), which is required by the `dependabot/fetch-metadata` action. * **Implementation**: Written using **standard POSIX tools** with a few dependencies: * **`bash`** – some Bash-specific constructs are used * **`jq`** – for processing JSON output from `dependabot/fetch-metadata` * **`xmlstarlet`** – for parsing `pom.xml` and generating a changelog XML file * **`git`** – to commit and push any changes * **`gh`** – to enable "auto-merge" on the pull request This approach avoids the Node.js/TypeScript toolchain and relies only on standard CLI tools commonly available in CI environments.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
The `apt` command is not recommended for scripting.
|
After running some tests, I identified the following limitations with this workflow stemming from the use of
|
This change splits the Dependabot automation into two reusable workflows: * **Unprivileged workflow** (`analyze-dependabot-reusable`): Runs on `pull_request` with no permissions. It analyzes Dependabot PRs and generates metadata safely. * **Privileged workflow** (`process-dependabot-reusable`): Uses the metadata from the unprivileged step to generate changelog files and enable the "auto-merge" option. Requires access to our GPG key and Personal Access Token.
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new Bash-based reusable GitHub Actions workflow for processing Dependabot pull requests and a complementary workflow for analyzing them.
- Introduces the process-dependabot-reusable workflow that generates changelog entries and enables auto-merge.
- Splits the workflow into two parts (analyze and process) and updates related documentation and examples.
- Adds an XML changelog entry and updates workflow examples to reflect the new structure.
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/site/antora/modules/ROOT/pages/workflows.adoc | Updates documentation to include examples and explanations for the new workflows. |
| src/site/antora/modules/ROOT/examples/process-dependabot.yaml | Provides an example usage of the new process workflow. |
| src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml | Provides an example usage of the new analyze workflow. |
| src/changelog/.12.x.x/add-deploy-profile.xml | Adds a changelog entry documenting the addition of the new workflow. |
| .github/workflows/process-dependabot-reusable.yaml | Implements the workflow that generates changelog entries and enables auto-merge for Dependabot PRs. |
| .github/workflows/analyze-dependabot-reusable.yaml | Implements the workflow to analyze Dependabot PRs and prepare metadata for processing. |
Comments suppressed due to low confidence (2)
.github/workflows/process-dependabot-reusable.yaml:168
- Consider using the PR_URL extracted earlier from the fetched metadata (set in GITHUB_ENV) instead of relying on github.event.pull_request.html_url to ensure consistency across the workflow.
PR_URL: ${{ github.event.pull_request.html_url }}
.github/workflows/process-dependabot-reusable.yaml:104
- [nitpick] The indentation of the 'exit 1' statement (line 106) is inconsistent with the block structure; aligning it with the preceding echo statement will improve readability.
if [[ ! $revision =~ ^[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT)?$ ]]; then
|
|
||
| - name: Fetch Dependabot metadata | ||
| id: dependabot | ||
| uses: ppkarwasz/fetch-metadata@feat/multi-versions |
There was a problem hiding this comment.
I presume this will be replaced once dependabot/fetch-metadata#632 is merged.
| # | ||
| # Stores the data required by the process-dependabot-reusable workflow as JSON files. | ||
| # |
There was a problem hiding this comment.
| # | |
| # Stores the data required by the process-dependabot-reusable workflow as JSON files. | |
| # | |
| # Creates the data required by the `process-dependabot-reusable` workflow as JSON files. |
| PULL_REQUEST: ${{ toJSON(github.event.pull_request) }} | ||
| UPDATED_DEPENDENCIES: ${{ steps.dependabot.outputs.updated-dependencies-json }} | ||
| run: | | ||
| mkdir -p dependabot-metadata |
There was a problem hiding this comment.
Is -p necessary here, since we only provide a single folder name?
| echo "$PULL_REQUEST" > dependabot-metadata/pull_request.json | ||
| echo "$UPDATED_DEPENDENCIES" > dependabot-metadata/updated_dependencies.json |
There was a problem hiding this comment.
This is the meat of this entire reusable workflow, 2 LoC, the rest is just ceremony. I think this should consider integrating this into process-d-r, and removing analyze-d-r.
IIRC, you introduce this split for analyze-d-r needs less privileges compared to process-d-r. But the former is useless without the latter, hence, the split just inflates 2 LoC to 55 LoC, not to mention the inflation at call sites invoking these reusables.
| name: Dependabot Analyze PR | ||
|
|
||
| on: | ||
| workflow_call: |
There was a problem hiding this comment.
| workflow_call: | |
| workflow_call: { } |
| - name: Create changelog entries | ||
| shell: bash | ||
| run: | |
There was a problem hiding this comment.
I'd really appreciate it if you can ventilate this big chunk of code with some empty lines delimiting the blocks by their semantics.
| done | ||
| - name: Set up GPG | ||
| uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # 6.3.0 |
There was a problem hiding this comment.
"In crazy-max we trust." ™️ We won't be shot by the ASF police for using this, right?
| git add src/changelog | ||
| git config user.name "$USER_NAME" | ||
| git config user.email "$USER_EMAIL" | ||
| git commit -S -m "Generate changelog entries for PR #$PR_ID" |
There was a problem hiding this comment.
| git commit -S -m "Generate changelog entries for PR #$PR_ID" | |
| git commit -S -m "Generate changelog entries for #$PR_ID" |
| # tag::analyze-dependabot[] | ||
| analyze-dependabot: | ||
| # Skip this workflow on commits not pushed by Dependabot | ||
| if: ${{ github.actor == 'dependabot[bot]' }} |
There was a problem hiding this comment.
I'd keep the extra check against the repository for DiD reasons:
| if: ${{ github.actor == 'dependabot[bot]' }} | |
| if: ${{ github.repository == 'apache/logging-parent' && github.actor == 'dependabot[bot]' }} |
(I don't know if above change necessitates an workflows.adoc update.)
| # tag::process-dependabot[] | ||
| process-dependabot: | ||
| # Skip this workflow on commits not pushed by Dependabot | ||
| if: ${{ github.event.workflow_run.conclusion == 'success' && github.actor == 'dependabot[bot]' }} |
There was a problem hiding this comment.
Again, I'd keep the repository name validation.
2 participants
This PR introduces a reusable GitHub Actions workflow,
process-dependabot-reusable, designed to streamline the handling of Dependabot pull requests across repositories — implemented entirely with shell scripts.This serves as a Bash-based alternative to #418, which uses TypeScript.
🔄 Key Differences from #418
Trigger: Runs on
pull_request_target(notpush), which is required by thedependabot/fetch-metadataaction.Implementation: Written using standard POSIX tools with a few dependencies:
bash– some Bash-specific constructs are usedjq– for processing JSON output fromdependabot/fetch-metadataxmlstarlet– for parsingpom.xmland generating a changelog XML filegit– to commit and push any changesgh– to enable "auto-merge" on the pull requestThis approach avoids the Node.js/TypeScript toolchain and relies only on standard CLI tools commonly available in CI environments.
Updated version
The updated version of this PR splits the workflow into two parts:
Unprivileged workflow (
analyze-dependabot-reusable):Runs on
pull_requestwith no permissions. It analyzes Dependabot PRs and generates metadata safely.Privileged workflow (
process-dependabot-reusable):Uses the metadata from the unprivileged step to generate changelog files and enable the "auto-merge" option. Requires access to our GPG key and Personal Access Token.