From e10dfc617db8f0370d6157ff9b63722df056d912 Mon Sep 17 00:00:00 2001 From: Nish Sinha Date: Mon, 26 Aug 2024 16:47:17 -0400 Subject: [PATCH 1/4] Specify if conditional Also update all fetch-metadata@v1 references to v2 --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index a6e6d6a1..0b4aea36 100644 --- a/README.md +++ b/README.md @@ -14,12 +14,13 @@ Extract information about the dependencies being updated by a Dependabot-generat ## Usage instructions -Create a workflow file that contains a step that uses: `dependabot/fetch-metadata@v1`, e.g. +Create a workflow file that contains a step that uses: `dependabot/fetch-metadata@v2`, e.g. ```yaml -- .github/workflows/dependabot-prs.yml name: Dependabot Pull Request on: pull_request_target +if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' }} jobs: build: permissions: @@ -28,7 +29,7 @@ jobs: steps: - name: Fetch Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v1 + uses: dependabot/fetch-metadata@v2 with: alert-lookup: true compat-lookup: true @@ -109,11 +110,11 @@ jobs: dependabot: runs-on: ubuntu-latest # Checking the author will prevent your Action run failing on non-Dependabot PRs - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' }} steps: - name: Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v1 + uses: dependabot/fetch-metadata@v2 - uses: actions/checkout@v4 - name: Approve a PR if not already approved run: | @@ -143,11 +144,11 @@ permissions: jobs: dependabot: runs-on: ubuntu-latest - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' }} steps: - name: Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v1 + uses: dependabot/fetch-metadata@v2 - name: Enable auto-merge for Dependabot PRs if: ${{contains(steps.dependabot-metadata.outputs.dependency-names, 'rails') && steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}} run: gh pr merge --auto --merge "$PR_URL" @@ -172,11 +173,11 @@ permissions: jobs: dependabot: runs-on: ubuntu-latest - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' }} steps: - name: Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v1 + uses: dependabot/fetch-metadata@v2 - name: Add a label for all production dependencies if: ${{ steps.dependabot-metadata.outputs.dependency-type == 'direct:production' }} run: gh pr edit "$PR_URL" --add-label "production" From af75c3e1a284ae3c9dfecd1a8bb76dab31d7a26c Mon Sep 17 00:00:00 2001 From: Nish Sinha Date: Mon, 26 Aug 2024 17:48:22 -0400 Subject: [PATCH 2/4] Remove ${{ }} --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0b4aea36..b5754754 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Create a workflow file that contains a step that uses: `dependabot/fetch-metadat -- .github/workflows/dependabot-prs.yml name: Dependabot Pull Request on: pull_request_target -if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' }} +if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' jobs: build: permissions: @@ -110,7 +110,7 @@ jobs: dependabot: runs-on: ubuntu-latest # Checking the author will prevent your Action run failing on non-Dependabot PRs - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' }} + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' steps: - name: Dependabot metadata id: dependabot-metadata @@ -144,7 +144,7 @@ permissions: jobs: dependabot: runs-on: ubuntu-latest - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' }} + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' steps: - name: Dependabot metadata id: dependabot-metadata @@ -173,7 +173,7 @@ permissions: jobs: dependabot: runs-on: ubuntu-latest - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' }} + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' steps: - name: Dependabot metadata id: dependabot-metadata From 9e29706b9bb87cae05297a953ea26b741f61b99f Mon Sep 17 00:00:00 2001 From: Nish Sinha Date: Mon, 26 Aug 2024 17:49:24 -0400 Subject: [PATCH 3/4] pull_request_target -> pull_request --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b5754754..b844e0ca 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ Create a workflow file that contains a step that uses: `dependabot/fetch-metadat ```yaml -- .github/workflows/dependabot-prs.yml name: Dependabot Pull Request -on: pull_request_target +on: pull_request if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' jobs: build: @@ -103,7 +103,7 @@ have a permissive auto-approval on all Dependabot PRs like so: ```yaml name: Dependabot auto-approve -on: pull_request_target +on: pull_request permissions: pull-requests: write jobs: @@ -137,7 +137,7 @@ For example, if you want to automatically merge all patch updates to Rails: ```yaml name: Dependabot auto-merge -on: pull_request_target +on: pull_request permissions: pull-requests: write contents: write @@ -165,7 +165,7 @@ For example, if you want to flag all production dependency updates with a label: ```yaml name: Dependabot auto-label -on: pull_request_target +on: pull_request permissions: pull-requests: write issues: write From 46e21c91ff7b6e754570f8a073225f41cd38e2cc Mon Sep 17 00:00:00 2001 From: Nish Sinha Date: Mon, 26 Aug 2024 17:55:25 -0400 Subject: [PATCH 4/4] Add the pull_request_target permissions note --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index b844e0ca..34aa7414 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,8 @@ Subsequent actions will have access to the following outputs: **Note:** By default, these outputs will only be populated if the target Pull Request was opened by Dependabot and contains **only** Dependabot-created commits. To override, see `skip-commit-verification` / `skip-verification`. +For workflows initiated by Dependabot (`github.actor == 'dependabot[bot]'`) using the `pull_request_target` event, if the base ref of the pull request was created by Dependabot (`github.event.pull_request.user.login == 'dependabot[bot]'`), the `GITHUB_TOKEN` will be read-only and secrets are not available. + This metadata can be used along with Action's [expression syntax](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#functions) and the [GitHub CLI](https://github.com/cli/cli) to create useful automation for your Dependabot PRs.