Skip to content

ci(dependabot): add workflow to automatically update dependency guard when dependabot creates a PR #9805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rafaeltonholo merged 1 commit into from
Sep 17, 2025
Merged

ci(dependabot): add workflow to automatically update dependency guard when dependabot creates a PR #9805

rafaeltonholo merged 1 commit into from
Sep 17, 2025

Conversation

@rafaeltonholo
Copy link
Member

@rafaeltonholo rafaeltonholo commented Sep 16, 2025

Whenever @dependabot updates an Android version, the app will challenge the new version with the dependency guard, and the CI will fail.

This PR creates a workflow that, whenever @dependabot opens, reopens or updates a PR, this workflow will trigger and update the dependency guard if required.

@rafaeltonholo rafaeltonholo requested a review from a team as a code owner September 16, 2025 15:15
wmontwe
wmontwe previously approved these changes Sep 17, 2025
View reviewed changes
Copy link
Member

@wmontwe wmontwe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@coreycb
Copy link
Collaborator

coreycb commented Sep 17, 2025

I don't think the git push will work because the default permissions for actions on this repo don't allow write. I would hope those settings apply to PR branches as well. I think we should be reducing the "permissions:" of the GITHUB_TOKEN to at least read, and instead use actions/create-github-app-token.

@rafaeltonholo
Copy link
Member Author

rafaeltonholo commented Sep 17, 2025

I don't think the git push will work because the default permissions for actions on this repo don't allow write. I would hope those settings apply to PR branches as well. I think we should be reducing the "permissions:" of the GITHUB_TOKEN to at least read, and instead use actions/create-github-app-token.

Since this only pushes to the pull request's branch, I don't think it will require any special permissions. I reviewed the documentation again and realized that I had missed adding the ref parameter to the action/checkout. This is likely going to cause an issue, as it checks out in detached HEAD mode.

Aside from that adjustment, I believe we should be able to commit and push without any issues. I don't think we need a custom token for this, as it still requires approval as part of the pull request process.

@rafaeltonholo rafaeltonholo force-pushed the ci/add-dependabot-dependency-guard-update-workflow branch from d87644f to 02deb27 Compare September 17, 2025 14:18
@rafaeltonholo rafaeltonholo force-pushed the ci/add-dependabot-dependency-guard-update-workflow branch from 02deb27 to c72d3a3 Compare September 17, 2025 14:21
@coreycb
Copy link
Collaborator

coreycb commented Sep 17, 2025

I don't think the git push will work because the default permissions for actions on this repo don't allow write. I would hope those settings apply to PR branches as well. I think we should be reducing the "permissions:" of the GITHUB_TOKEN to at least read, and instead use actions/create-github-app-token.

Since this only pushes to the pull request's branch, I don't think it will require any special permissions. I reviewed the documentation again and realized that I had missed adding the ref parameter to the action/checkout. This is likely going to cause an issue, as it checks out in detached HEAD mode.

Aside from that adjustment, I believe we should be able to commit and push without any issues. I don't think we need a custom token for this, as it still requires approval as part of the pull request process.

I agree and the permissions should be reduced to read already based on the repo settings. LGTM

@rafaeltonholo rafaeltonholo merged commit 1907b4f into thunderbird:main Sep 17, 2025
13 checks passed
@rafaeltonholo rafaeltonholo deleted the ci/add-dependabot-dependency-guard-update-workflow branch September 17, 2025 15:39
@thunderbird-botmobile thunderbird-botmobile bot added this to the Thunderbird 14 milestone Sep 17, 2025
rafaeltonholo added a commit to rafaeltonholo/thunderbird-android that referenced this pull request Oct 10, 2025
@rafaeltonholo
Merge pull request thunderbird#9805 from rafaeltonholo/ci/add-dependa…
acd9c27 
…bot-dependency-guard-update-workflow

ci(dependabot): add workflow to automatically update dependency guard when dependabot creates a PR
rafaeltonholo added a commit to rafaeltonholo/thunderbird-android that referenced this pull request Oct 10, 2025
@rafaeltonholo
Merge pull request thunderbird#9805 from rafaeltonholo/ci/add-dependa…
04a7ada 
…bot-dependency-guard-update-workflow

ci(dependabot): add workflow to automatically update dependency guard when dependabot creates a PR
rafaeltonholo added a commit to rafaeltonholo/thunderbird-android that referenced this pull request Oct 10, 2025
@rafaeltonholo
Merge pull request thunderbird#9805 from rafaeltonholo/ci/add-dependa…
8c0713c 
…bot-dependency-guard-update-workflow

ci(dependabot): add workflow to automatically update dependency guard when dependabot creates a PR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coreycb coreycb coreycb approved these changes

@wmontwe wmontwe wmontwe left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Thunderbird 14

Development

Successfully merging this pull request may close these issues.

3 participants

@rafaeltonholo @coreycb @wmontwe