Skip to content

restore dependabot auto merging using the workflow_run event #759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 9, 2021
Merged

restore dependabot auto merging using the workflow_run event #759

merged 1 commit into from
Aug 9, 2021

Conversation

bendavies
Copy link
Contributor

@bendavies bendavies commented Aug 4, 2021
edited
Loading

This pull request restores the auto-merging of dependabot PRs.

The event is switched to use workflow_run, which runs with write permissions as so secrets (ERGEBNIS_BOT_TOKEN) are available in the run.

for more information see: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

I have been unable to retain all conditions of the previous if statement, namely these.

    if: >
...
      github.event.pull_request.draft == false && (
        github.event.action == 'opened' ||
        github.event.action == 'reopened' ||
        github.event.action == 'synchronize'
      ) && (
...
        (github.actor == 'localheinz' && contains(github.event.pull_request.labels.*.name, 'merge'))
      )

An alternative will have to be found if these are critical.

Thanks!

@codecov
Copy link

codecov bot commented Aug 4, 2021
edited
Loading

Codecov Report

Merging #759 (718e422) into main (2a2f779) will not change coverage.
The diff coverage is n/a.

❗ Current head 718e422 differs from pull request most recent head 63a186a. Consider uploading reports for the commit 63a186a to get more accurate results
Impacted file tree graph

@@             Coverage Diff             @@
##                main      #759   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
  Complexity         3         3           
===========================================
  Files              1         1           
  Lines              6         6           
===========================================
  Hits               6         6

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2a2f779...63a186a. Read the comment docs.

@bendavies bendavies force-pushed the restore-dependabot-automerge branch 4 times, most recently from 22f6752 to c0ea014 Compare August 4, 2021 07:54
@bendavies
Copy link
Contributor Author

I'm not sure i understand the yaml link error. can you explain?

@bendavies bendavies force-pushed the restore-dependabot-automerge branch from c0ea014 to de5e110 Compare August 4, 2021 07:57
@bendavies bendavies force-pushed the restore-dependabot-automerge branch from de5e110 to c6eac91 Compare August 4, 2021 10:50
@localheinz localheinz force-pushed the restore-dependabot-automerge branch from c6eac91 to f52904d Compare August 9, 2021 10:08
@localheinz localheinz force-pushed the restore-dependabot-automerge branch from f52904d to 63a186a Compare August 9, 2021 10:08
@localheinz localheinz self-assigned this Aug 9, 2021
localheinz
localheinz approved these changes Aug 9, 2021
View reviewed changes
Copy link
Member

@localheinz localheinz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's give this a try!

@localheinz localheinz merged commit 0c2cd75 into ergebnis:main Aug 9, 2021
@localheinz
Copy link
Member

Thank you, @bendavies and @Lctrs!

This was referenced Aug 9, 2021
Merged
Merged
Merged
@localheinz
Copy link
Member

@bendavies and @Lctrs

Works like a charm, see:

Thank you very much!

This was referenced Aug 9, 2021
Closed
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Aug 9, 2021
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Aug 16, 2021
Merged
Merged
Merged
@localheinz localheinz mentioned this pull request Sep 27, 2021
Merged
1 task
@localheinz localheinz mentioned this pull request Oct 29, 2021
Merged
1 task
@localheinz localheinz mentioned this pull request Nov 8, 2021
Merged
1 task
@localheinz localheinz mentioned this pull request Nov 27, 2021
Merged
1 task
@localheinz localheinz mentioned this pull request Dec 5, 2021
Merged
1 task
bendavies added a commit to bendavies/php-package-template that referenced this pull request Jan 19, 2022
@bendavies
restore merging of dependabot pull requests back to integrate workflow
df98a63 
 - made possible by https://github.blog/changelog/2021-11-30-github-actions-workflows-triggered-by-dependabot-receive-dependabot-secrets/
 - reverts ergebnis#759
@bendavies bendavies mentioned this pull request Jan 19, 2022
Closed
@localheinz localheinz mentioned this pull request May 19, 2022
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lctrs Lctrs Lctrs left review comments

@localheinz localheinz localheinz approved these changes

@ergebnis-bot ergebnis-bot Awaiting requested review from ergebnis-bot ergebnis-bot is a code owner

Assignees

@localheinz localheinz

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bendavies @localheinz @Lctrs