Skip to content

Commit

Permalink
ci: Add dependabot automation workflow (#73)
Browse files Browse the repository at this point in the history 
This commit adds a workflow to automate some tedious tasks that I currently have to handle whenever a new Dependabot pull request is opened.

The workflow will first check that there are no failed checks, other than the documentation check, to ensure failed checks aren't automatically merged. This is necessary since checks are not triggered for commits made using the GITHUB_TOKEN automatically created for a given workflow run. Otherwise, I would have been able to blindly update the docs and that check would pass on the next check run.

Once the checks have been validated, the documentation (README) is updated via terraform-docs which is required for every Dependabot commit (and is what I am looking to automate away).

Finally, the pull request is approved and auto-merge is enabled such that the Dependabot PR can be merged and no manual intervention is required.
  • Loading branch information
@craigsloggett
craigsloggett authored Sep 21, 2024
1 parent a0e890e commit d269264
Showing 1 changed file with 79 additions and 0 deletions.
79 changes: 79 additions & 0 deletions .github/workflows/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
name: Dependabot Automation

on: pull_request

permissions:
contents: write
pull-requests: write

jobs:
verify-checks:
name: Verify Checks
runs-on: ubuntu-22.04
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Verify Checks
run: |
# Wait for incomplete checks to finish running.
incomplete_check_runs=1
while [ "${incomplete_check_runs}" -ne 0 ]; do
incomplete_check_runs="$( \
curl --silent -L -H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/commits/${{ github.event.pull_request.head.sha }}/check-runs |
jq '[ .check_runs[] | select(.status!="completed" and .name!="Verify Checks") ] | length' \
)"
sleep 5
done
# Dependabot pull requests require that the README is updated to reflect any version
# changes. The "Terraform Docs" check is used to validate the README has been updated.
# This step will verify no other checks have failed as part of the changes
# introduced by Dependabot.
failed_checks="$( \
curl --silent -L -H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/commits/${{ github.event.pull_request.head.sha }}/check-runs |
jq '[ .check_runs[] | select(.conclusion=="failure" and .name!="Terraform Docs") ] | length' \
)"
if [ "${failed_checks}" -ne 0 ]; then
echo "::error::Pull request checks have failed for this commit, unable to automatically merge the Dependabot changes."
exit 1
else
exit 0
fi
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
terraform-docs:
name: Update Documentation
needs: verify-checks
runs-on: ubuntu-22.04
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Generate Docs
uses: terraform-docs/gh-actions@aeae0038ed47a547e0c0fca5c059d3335f48fb25 # v1.3.0
with:
git-push: true
git-commit-message: 'docs: Update README.md'
manage-pull-request:
name: Manage Pull Request
needs: terraform-docs
runs-on: ubuntu-22.04
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Enable auto-merge
run: gh pr merge --auto --squash "${PR_URL}"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Approve
run: gh pr review --approve "${PR_URL}"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

0 comments on commit d269264

Please # to comment.