Skip to content

feat: Add support for repository search query to optimize repo enumeration #373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zkoppert merged 15 commits into from
Jul 16, 2025
Merged

feat: Add support for repository search query to optimize repo enumeration #373

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
a6015e0
Initial plan
Copilot Jul 7, 2025
9fd6f49
Initial plan
Copilot Jul 7, 2025
9a931c8
docs: Document REPOSITORY_SEARCH_QUERY in README
Copilot Jul 7, 2025
97160b9
fix: formatting fixes
zkoppert Jul 7, 2025
bf5d204
fix: replace non-descriptive link text for encrypted secrets
Copilot Jul 7, 2025
0b1806f
docs: add EOF blank line
zkoppert Jul 7, 2025
1d82024
fix:make linter happierrr
zkoppert Jul 7, 2025
f4e622e
ci: try getting the linter to fix itself
zkoppert Jul 7, 2025
b6e63c4
Merge branch 'main' into copilot/fix-372
zkoppert Jul 7, 2025
7a53a25
fix: rm catch for import error
zkoppert Jul 8, 2025
62e4146
feat: require org, repos, or search query
zkoppert Jul 8, 2025
0a24042
test: fix tests by including search_query where needed
zkoppert Jul 8, 2025
fed4054
test: add get_repos_iterator search_query test
Copilot Jul 8, 2025
fc92de9
fix: convert search iterator results to list of short repositories to…
zkoppert Jul 8, 2025
6f2a744
test: fix test by mocking returns
zkoppert Jul 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/super-linter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,4 @@ jobs:
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_ACTIONS_COMMAND_ARGS: -shellcheck=
FIX_MARKDOWN_PRETTIER: true
53 changes: 48 additions & 5 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ All feedback regarding our GitHub Actions, as a whole, should be communicated th
1. Select a best fit workflow file from the [examples below](#example-workflows).
1. Copy that example into your repository (from step 1) and into the proper directory for GitHub Actions: `.github/workflows/` directory with the file extension `.yml` (ie. `.github/workflows/evergreen.yml`)
1. Edit the values below from the sample workflow with your information:

- `ORGANIZATION`
- `TEAM_NAME`
- `REPOSITORY`
Expand All @@ -51,7 +50,6 @@ All feedback regarding our GitHub Actions, as a whole, should be communicated th
1. Also edit the value for `GH_ENTERPRISE_URL` if you are using a GitHub Server and not using github.com.
For github.com users, leave it empty.
1. Update the value of `GH_TOKEN`. Do this by creating a [GitHub API token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) with the following permissions:

- If using **classic tokens**:
- `workflow`, this will set also all permissions for `repo`
- under `admin`, `read:org` and `write:org`
Expand All @@ -65,7 +63,7 @@ All feedback regarding our GitHub Actions, as a whole, should be communicated th
Then finally update the workflow file to use that repository secret by changing `GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}` to `GH_TOKEN: ${{ secrets.GH_TOKEN }}`.
The name of the secret can really be anything, it just needs to match between when you create the secret name and when you refer to it in the workflow file.

1. If you want the resulting issue with the output to appear in a different repository other than the one the workflow file runs in, update the line `token: ${{ secrets.GITHUB_TOKEN }}` with your own GitHub API token stored as a repository secret. This process is the same as described in the step above. More info on creating secrets can be found [here](https://docs.github.com/en/actions/security-guides/encrypted-secrets).
1. If you want the resulting issue with the output to appear in a different repository other than the one the workflow file runs in, update the line `token: ${{ secrets.GITHUB_TOKEN }}` with your own GitHub API token stored as a repository secret. This process is the same as described in the step above. More info on creating secrets can be found in the [GitHub documentation on encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets).
1. Commit the workflow file to the default branch (often `master` or `main`)
1. Wait for the action to trigger based on the `schedule` entry or manually trigger the workflow as shown in the [documentation](https://docs.github.com/en/actions/using-workflows/manually-running-a-workflow).

Expand Down Expand Up @@ -105,8 +103,9 @@ The needed GitHub app permissions are the following under `Repository permission
| field | required | default | description |
| -------------------------- | ----------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `GH_ENTERPRISE_URL` | False | "" | The `GH_ENTERPRISE_URL` is used to connect to an enterprise server instance of GitHub, ex: `https://yourgheserver.com`.<br>github.com users should not enter anything here. |
| `ORGANIZATION` | Required to have `ORGANIZATION` or `REPOSITORY` | | The name of the GitHub organization which you want this action to work from. ie. github.com/github would be `github` |
| `REPOSITORY` | Required to have `ORGANIZATION` or `REPOSITORY` | | The name of the repository and organization which you want this action to work from. ie. `github/evergreen` or a comma separated list of multiple repositories `github/evergreen,super-linter/super-linter` |
| `ORGANIZATION` | Required to have `ORGANIZATION` or `REPOSITORY` or `REPOSITORY_SEARCH_QUERY` | | The name of the GitHub organization which you want this action to work from. ie. github.com/github would be `github` |
| `REPOSITORY` | Required to have `ORGANIZATION` or `REPOSITORY` or `REPOSITORY_SEARCH_QUERY` | | The name of the repository and organization which you want this action to work from. ie. `github/evergreen` or a comma separated list of multiple repositories `github/evergreen,super-linter/super-linter` |
| `REPOSITORY_SEARCH_QUERY` | Required to have `ORGANIZATION` or `REPOSITORY` or `REPOSITORY_SEARCH_QUERY` | "" | When set, directs the action to use the GitHub Search API to search repositories matching this query instead of enumerating all organization repositories. This overrides anything set in the `REPOSITORY` and `ORGANIZATION` variables. Example: `org:my-org is:repository archived:false created:>2025-07-01`. |
| `EXEMPT_REPOS` | False | "" | These repositories will be exempt from this action considering them for dependabot enablement. ex: If my org is set to `github` then I might want to exempt a few of the repos but get the rest by setting `EXEMPT_REPOS` to `github/evergreen,github/contributors` |
| `TYPE` | False | pull | Type refers to the type of action you want taken if this workflow determines that dependabot could be enabled. Valid values are `pull` or `issue`. |
| `TITLE` | False | "Enable Dependabot" | The title of the issue or pull request that will be created if dependabot could be enabled. |
Expand Down Expand Up @@ -257,6 +256,50 @@ jobs:
run: cat summary.md >> $GITHUB_STEP_SUMMARY
```

#### Using REPOSITORY_SEARCH_QUERY

```yaml
---
name: Weekly dependabot checks
on:
workflow_dispatch:
schedule:
- cron: "3 2 * * 6"

permissions:
contents: read

jobs:
evergreen:
name: evergreen
runs-on: ubuntu-latest
permissions:
issues: write

steps:
- shell: bash
run: |
# Get the current date
current_date=$(date +'%Y-%m-%d')

# Calculate the previous month
previous_date=$(date -d "$current_date -7 day" +'%Y-%m-%d')

echo "$previous_date..$current_date"
echo "one_week_ago=$previous_date" >> "$GITHUB_ENV"

- name: Run evergreen action
uses: github/evergreen@v1
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPOSITORY_SEARCH_QUERY: "org:your_organization is:repository is:public archived:false created:>${{ env.one_week_ago }}"
TITLE: "Add dependabot configuration"
BODY: "Please add this dependabot configuration so that we can keep the dependencies in this repo up to date and secure. for help, contact XXX"

- name: Post evergreen job summary
run: cat summary.md >> $GITHUB_STEP_SUMMARY
```

#### Using GitHub app

```yaml
Expand Down
Loading
Loading