diff --git a/.github/dependabot.yml b/.github/dependabot.yml index aff82a10..6a49d058 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,10 @@ version: 2 updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" - package-ecosystem: "npm" directory: "/" schedule: - interval: "weekly" + interval: "monthly" diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml new file mode 100644 index 00000000..0b43e054 --- /dev/null +++ b/.github/workflows/check-dist.yml @@ -0,0 +1,35 @@ +name: Check dist + +on: + pull_request: + push: + branches: + - main + - 'releases/*' + +jobs: + verify-build: # make sure the checked in dist/ folder matches the output of a rebuild + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Read .nvmrc + id: nvm + run: echo ::set-output name=NVMRC::$(cat .nvmrc) + + - name: Setup Node.js + uses: actions/setup-node@v3 + with: + node-version: ${{ steps.nvm.outputs.NVMRC }} + + - name: Install NPM dependencies + run: npm ci + + - name: Rebuild the dist/ directory + run: npm run build + + - name: Compare the expected and actual dist/ directories + run: bin/check-diff diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 56d5b844..d0e93b3b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,15 +13,20 @@ jobs: name: CI runs-on: ubuntu-latest steps: - - name: Check out code - uses: actions/checkout@v2 + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Read .nvmrc + id: nvm + run: echo ::set-output name=NVMRC::$(cat .nvmrc) - - name: Setup nodejs - uses: actions/setup-node@v2 + - name: Setup Node.js + uses: actions/setup-node@v3 with: - node-version: '16' + node-version: ${{ steps.nvm.outputs.NVMRC }} - - name: Install dependencies + - name: Install npm dependencies run: npm ci - name: Run linter @@ -29,6 +34,3 @@ jobs: - name: Run tests run: npm test - - - name: Verify the build artefact is updated - run: npm run build && git diff --quiet diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 418e6db9..cd67ab7f 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -9,7 +9,7 @@ jobs: if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} steps: - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Fetch metadata id: metadata @@ -19,4 +19,4 @@ jobs: run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} - GITHUB_TOKEN: ${{ secrets.AUTOMERGE_PAT }} + GITHUB_TOKEN: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }} diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml new file mode 100644 index 00000000..52f56c05 --- /dev/null +++ b/.github/workflows/dependabot-build.yml @@ -0,0 +1,59 @@ +name: Compile dependabot updates + +on: + pull_request: + +permissions: + pull-requests: write + contents: write +jobs: + fetch-dependabot-metadata: + runs-on: ubuntu-latest + # We only want to check the metadata on pull_request events from Dependabot itself, + # any subsequent pushes to the PR should just skip this step so we don't go into + # a loop on commits created by the `build-dependabot-changes` job + if: ${{ github.actor == 'dependabot[bot]' }} + # Map the step output to a job output for subsequent jobs + outputs: + dependency-type: ${{ steps.dependabot-metadata.outputs.dependency-type }} + package-ecosystem: ${{ steps.dependabot-metadata.outputs.package-ecosystem }} + steps: + - name: Fetch dependabot metadata + id: dependabot-metadata + uses: ./ + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + build-dependabot-changes: + runs-on: ubuntu-latest + needs: [fetch-dependabot-metadata] + # We only need to build the dist/ folder if the PR relates a production NPM dependency, otherwise we don't expect changes. + if: needs.fetch-dependabot-metadata.output.package-ecosystem == 'npm_and_yarn' && needs.fetch-dependabot-metadata.outputs.dependency-type == 'direct:production' + steps: + # Check out using a PAT so any pushed changes will trigger checkruns + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + token: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }} + + - name: Read .nvmrc + id: nvm + run: echo ::set-output name=NVMRC::$(cat .nvmrc) + + - name: Setup Node.js + uses: actions/setup-node@v3 + with: + node-version: ${{ steps.nvm.outputs.NVMRC }} + + - name: Install NPM dependencies + run: npm ci + + - name: Rebuild the dist/ directory + run: npm run build + + - name: Check in any change to dist/ + run: | + git add dist/ + git config user.name github-actions + git config user.email github-actions@github.com + git commit -m "[dependabot skip] Update dist/ with build changes" || exit 0 + git push diff --git a/bin/bump-version b/bin/bump-version index 573bb2e2..1873df19 100755 --- a/bin/bump-version +++ b/bin/bump-version @@ -22,7 +22,8 @@ fi new_version=$(npm version "${patch_level}" --no-git-tag-version) git checkout -b "${new_version}"-release-notes -sed -i "s|dependabot/fetch-metadata@v[0-9.]*|dependabot/fetch-metadata@${new_version}|g" README.md +sed -i.bak "s|dependabot/fetch-metadata@v[0-9.]*|dependabot/fetch-metadata@v${new_version}|g" "README.md" +rm README.md.bak git add package.json package-lock.json README.md git commit -m "${new_version}" diff --git a/bin/check-diff b/bin/check-diff new file mode 100755 index 00000000..c68ccf20 --- /dev/null +++ b/bin/check-diff @@ -0,0 +1,11 @@ +#!/bin/bash + +# Make sure we notice any untracked files generated by the build +git add --intent-to-add . +git diff --quiet dist/ +retVal=$? +if [ $retVal -ne 0 ]; then + echo "Detected uncommitted changes after build:" + git --no-pager diff dist/ + exit 1 +fi