@@ -12,157 +12,10 @@ permissions:
1212 statuses : read
1313
1414jobs :
15- create_issue_for_high_critical :
16- runs-on : ubuntu-latest
17-
18- if : github.event.pull_request.user.login == 'dependabot[bot]'
19-
20- steps :
21- - name : Fetch Dependabot metadata
22- id : metadata
23- uses : dependabot/fetch-metadata@v2
24- with :
25- github-token : ${{ secrets.GITHUB_TOKEN }}
26-
27- - name : Create tracking issue for advisory
28- uses : actions/github-script@v7
29- env :
30- GHSA : ${{ steps.metadata.outputs.ghsa-id }}
31- PACKAGE : ${{ steps.metadata.outputs.dependency-names }}
32- PREVIOUS_VERSION : ${{ steps.metadata.outputs.previous-version }}
33- NEW_VERSION : ${{ steps.metadata.outputs.new-version }}
34- UPDATE_TYPE : ${{ steps.metadata.outputs.update-type }}
35- DEPENDENCY_TYPE : ${{ steps.metadata.outputs.dependency-type }}
36- with :
37- github-token : ${{ secrets.GITHUB_TOKEN }}
38- script : |
39- const { owner, repo } = context.repo;
40- const pr = context.payload.pull_request;
41-
42- const pkg = process.env.PACKAGE || 'unknown-package';
43- const ghsa = process.env.GHSA || '';
44- const previousVersion = process.env.PREVIOUS_VERSION || 'unknown';
45- const newVersion = process.env.NEW_VERSION || 'unknown';
46- const updateType = process.env.UPDATE_TYPE || 'unknown';
47- const dependencyType = process.env.DEPENDENCY_TYPE || 'unknown';
48- const alertUrl = pr.html_url; // link to PR as the "alert" surface
49-
50- const teamMention = '@Dopeamin';
51-
52- const title = ghsa
53- ? `[Dependabot] Advisory for ${pkg} (${ghsa})`
54- : `[Dependabot] Update for ${pkg} (${previousVersion} → ${newVersion})`;
55-
56- // Avoid duplicates: search by GHSA id or package/version in title
57- const duplicateQuery = ghsa
58- ? `repo:${owner}/${repo} "${ghsa}" in:title is:issue`
59- : `repo:${owner}/${repo} "${pkg}" "${newVersion}" in:title is:issue`;
60- const search = await github.rest.search.issuesAndPullRequests({
61- q: duplicateQuery,
62- });
63-
64- if (search.data.total_count > 0) {
65- console.log('Issue already exists for this advisory, skipping.');
66- return;
67- }
68-
69- const details = [
70- `- **Package**: \`${pkg}\``,
71- `- **Update**: \`${previousVersion}\` → \`${newVersion}\``,
72- `- **Update type**: ${updateType}`,
73- `- **Dependency type**: ${dependencyType}`,
74- `- **PR**: #${pr.number}`,
75- ];
76-
77- if (ghsa) {
78- details.splice(2, 0, `- **Advisory (GHSA)**: \`${ghsa}\``);
79- }
80-
81- const body = `${teamMention}
82-
83- A new Dependabot pull request requires attention.
84-
85- ${details.join('\n')}
86-
87- This issue was created automatically by a GitHub Actions workflow.`;
88-
89- const labels = ['dependabot'];
90- if (ghsa) {
91- labels.push('security');
92- }
93- await github.rest.issues.create({
94- owner,
95- repo,
96- title,
97- body,
98- labels,
99- assignees: ['Dopeamin'],
100- });
101-
102- auto_merge_dependabot :
103- runs-on : ubuntu-latest
104- needs : create_issue_for_high_critical
105- if : github.event.pull_request.user.login == 'dependabot[bot]'
106-
107- steps :
108- - name : Check if all required checks passed
109- id : status
110- uses : actions/github-script@v7
111- with :
112- github-token : ${{ secrets.GITHUB_TOKEN }}
113- script : |
114- const { owner, repo } = context.repo;
115- const pr = context.payload.pull_request;
116- const sha = pr.head.sha;
117-
118- // Combined status (old API)
119- const { data: combined } = await github.rest.repos.getCombinedStatusForRef({
120- owner,
121- repo,
122- ref: sha,
123- });
124-
125- // Checks API (GitHub Actions and other checks)
126- const { data: checks } = await github.rest.checks.listForRef({
127- owner,
128- repo,
129- ref: sha,
130- });
131-
132- const allStatusesSuccess =
133- (combined.state === 'success' || combined.state === 'pending') &&
134- combined.statuses.every(s =>
135- ['success', 'neutral', 'skipped', 'pending'].includes(s.state)
136- );
137-
138- const allChecksSuccess =
139- checks.check_runs.length === 0 ||
140- checks.check_runs.every(c =>
141- ['success', 'neutral', 'skipped'].includes(c.conclusion)
142- );
143-
144- if (!allStatusesSuccess || !allChecksSuccess) {
145- core.info('Not all checks are successful yet – skipping merge.');
146- core.setOutput('can_merge', 'false');
147- } else {
148- core.info('All checks look good – ready to merge.');
149- core.setOutput('can_merge', 'true');
150- }
151-
152- name : Merge Dependabot PR
153- if : steps.status.outputs.can_merge == 'true'
154- uses : actions/github-script@v7
155- with :
156- github-token : ${{ secrets.GITHUB_TOKEN }}
157- script : |
158- const { owner, repo } = context.repo;
159- const pr = context.payload.pull_request;
160-
161- await github.rest.pulls.merge({
162- owner,
163- repo,
164- pull_number: pr.number,
165- merge_method: 'squash', // or 'merge' / 'rebase'
166- });
167-
168- core.info(`Merged Dependabot PR #${pr.number}`);
15+ dependabot-security :
16+ uses : corbado/ci-templates/.github/workflows/dependabot-security.yml@main
17+ secrets :
18+ repo-token : ${{ secrets.GITHUB_TOKEN }}
19+ with :
20+ auto-merge : true # or false for "issue only"
21+ team_mention : " @Dopeamin / @snacker81" # optional override
0 commit comments