-
Notifications
You must be signed in to change notification settings - Fork 542
83 lines (68 loc) · 3.43 KB
/
dependabot_reviewer.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Auto-merge as documented in official Github docs
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
name: Auto-review Dependabot PRs
on: pull_request_target
permissions:
pull-requests: write
contents: write
jobs:
dependabot-reviewer:
runs-on: ubuntu-latest
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Dependabot metadata
id: metadata
uses: dependabot/[email protected]
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Check allowlist
id: check-allowlist
if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
run: |
cfg_path=".github/workflows/allowlist.json"
IFS=', ' read -r -a libsUpdated <<< "${{ steps.metadata.outputs.dependency-names }}"
# Loop through the array to make sure all updated libraries are in the allowlist
all_in_allowlist="true"
reason_array=()
# If any element is not in the allowlist, set the flag to false
for lib in "${libsUpdated[@]}"; do
exists=$(jq --arg lib "$lib" 'any(.[]; .name == $lib)' $cfg_path)
if [[ "$exists" != "true" ]]; then
all_in_allowlist="false"
break
else
reason_array+=("$(jq -r --arg lib "$lib" '.[] | select(.name == $lib) | .reason' $cfg_path)")
fi
done
if [[ "$all_in_allowlist" == "true" ]]; then
reasons=$(IFS=','; echo "${reason_array[*]}")
echo "reasons=$reasons" >> $GITHUB_OUTPUT
echo "allInAllowlist=true" >> $GITHUB_OUTPUT
else
echo "allInAllowlist=false" >> $GITHUB_OUTPUT
fi
- name: Approve and auto-merge
if: steps.check-allowlist.conclusion == 'success' && steps.check-allowlist.outputs.allInAllowlist == 'true'
run: |
gh pr merge --auto --squash "$PR_URL"
gh pr review $PR_URL \
--approve -b "**I'm approving** this pull request because it includes a patch or minor \
update to dependencies that are already in the allowlist.
The reason this library is in the allowlist is that ${{ steps.check-allowlist.outputs.reasons}}"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GH_BOT_ACCESS_TOKEN}}
- name: Manual review is required
if: steps.check-allowlist.conclusion != 'success' || steps.check-allowlist.outputs.allInAllowlist == 'false'
run: |
gh pr comment $PR_URL --body "**This library is not auto-approved**
Unfortunately, this library is a major version update or it is not included in our allowlist, which means it cannot be auto-approved. \
If you believe it should be considered for auto-approval, please open a pull request to add \
it to the allowlist configuration.
To add this library to the allowlist, please modify the [allowlist.json](https://github.com/grafana/mimir/tree/main/.github/workflows/allowlist.json) file and \
include the necessary details for review."
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}