From 083b8484d845568e1ee00eaa2073e0b6b1f54ba9 Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Tue, 19 Apr 2022 17:54:54 +0100 Subject: [PATCH 1/7] Dependabot checks monthly, and checks GitHub Actions --- .github/dependabot.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index aff82a10..6a49d058 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,10 @@ version: 2 updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" - package-ecosystem: "npm" directory: "/" schedule: - interval: "weekly" + interval: "monthly" From 6790cb69edfa89607cc380a9d0809534d365d8f5 Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Tue, 19 Apr 2022 18:22:23 +0100 Subject: [PATCH 2/7] Use a separate workflow to check the diff compilation --- .github/workflows/check-dist.yml | 35 ++++++++++++++++++++++++++++++++ .github/workflows/ci.yml | 20 ++++++++++-------- bin/check-diff | 11 ++++++++++ 3 files changed, 57 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/check-dist.yml create mode 100755 bin/check-diff diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml new file mode 100644 index 00000000..9c2d8767 --- /dev/null +++ b/.github/workflows/check-dist.yml @@ -0,0 +1,35 @@ +name: Check dist + +on: + pull_request: + push: + branches: + - main + - 'releases/*' + +jobs: + verify-build: # make sure the checked in dist/ folder matches the output of a rebuild + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Read .nvmrc + id: nvm + run: echo ::set-output name=NVMRC::$(cat .nvmrc) + + - name: Setup Node.js + uses: actions/setup-node@v3 + with: + node-version: ${{ steps.nvm.outputs.NVMRC }} + + - name: Install NPM dependencies + run: npm ci + + - name: Rebuild the dist/ directory + run: npm run build + + - name: Compare the expected and actual dist/ directories + run: script/check-diff diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 56d5b844..21c8414d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,15 +13,20 @@ jobs: name: CI runs-on: ubuntu-latest steps: - - name: Check out code - uses: actions/checkout@v2 + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Read .nvmrc + id: nvm + run: echo ::set-output name=NVMRC::$(cat .nvmrc) - - name: Setup nodejs - uses: actions/setup-node@v2 + - name: Setup Node.js + uses: actions/setup-node@v3 with: - node-version: '16' + node-version: ${{ steps.nvm.outputs.NVMRC }} - - name: Install dependencies + - name: Install NPM dependencies run: npm ci - name: Run linter @@ -29,6 +34,3 @@ jobs: - name: Run tests run: npm test - - - name: Verify the build artefact is updated - run: npm run build && git diff --quiet diff --git a/bin/check-diff b/bin/check-diff new file mode 100755 index 00000000..c68ccf20 --- /dev/null +++ b/bin/check-diff @@ -0,0 +1,11 @@ +#!/bin/bash + +# Make sure we notice any untracked files generated by the build +git add --intent-to-add . +git diff --quiet dist/ +retVal=$? +if [ $retVal -ne 0 ]; then + echo "Detected uncommitted changes after build:" + git --no-pager diff dist/ + exit 1 +fi From 2017141629ee12acc17066479adb0736acb78fb5 Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Tue, 19 Apr 2022 18:25:53 +0100 Subject: [PATCH 3/7] Fix sed command for OSX --- bin/bump-version | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/bump-version b/bin/bump-version index 573bb2e2..1873df19 100755 --- a/bin/bump-version +++ b/bin/bump-version @@ -22,7 +22,8 @@ fi new_version=$(npm version "${patch_level}" --no-git-tag-version) git checkout -b "${new_version}"-release-notes -sed -i "s|dependabot/fetch-metadata@v[0-9.]*|dependabot/fetch-metadata@${new_version}|g" README.md +sed -i.bak "s|dependabot/fetch-metadata@v[0-9.]*|dependabot/fetch-metadata@v${new_version}|g" "README.md" +rm README.md.bak git add package.json package-lock.json README.md git commit -m "${new_version}" From f9682a0a6a41433e30571f0f28c0f9055f0392ee Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Tue, 19 Apr 2022 18:30:44 +0100 Subject: [PATCH 4/7] Add a workflow to compile dist/ for Dependabot PRs --- .github/workflows/dependabot-build.yml | 59 ++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/dependabot-build.yml diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml new file mode 100644 index 00000000..e4c03ded --- /dev/null +++ b/.github/workflows/dependabot-build.yml @@ -0,0 +1,59 @@ +name: Compile dependabot updates + +on: + pull_request: + +permissions: + pull-requests: write + contents: write +jobs: + fetch-dependabot-metadata: + runs-on: ubuntu-latest + # We only want to check the metadata on pull_request events from Dependabot itself, + # any subsequent pushes to the PR should just skip this step so we don't go into + # a loop on commits created by the `build-dependabot-changes` job + if: ${{ github.actor == 'dependabot[bot]' }} + # Map the step output to a job output for subsequent jobs + outputs: + dependency-type: ${{ steps.dependabot-metadata.outputs.dependency-type }} + package-ecosystem: ${{ steps.dependabot-metadata.outputs.package-ecosystem }} + steps: + - name: Fetch dependabot metadata + id: dependabot-metadata + uses: ./ + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + build-dependabot-changes: + runs-on: ubuntu-latest + needs: [fetch-dependabot-metadata] + # We only need to build the dist/ folder if the PR relates a production NPM dependency, otherwise we don't expect changes. + if: needs.fetch-dependabot-metadata.output.package-ecosystem == 'npm_and_yarn' && needs.fetch-dependabot-metadata.outputs.dependency-type == 'direct:production' + steps: + # Check out using a PAT so any pushed changes will trigger checkruns + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + token: ${{ secrets.DEPENDABOT_AUTOBUILD }} + + - name: Read .nvmrc + id: nvm + run: echo ::set-output name=NVMRC::$(cat .nvmrc) + + - name: Setup Node.js + uses: actions/setup-node@v3 + with: + node-version: ${{ steps.nvm.outputs.NVMRC }} + + - name: Install NPM dependencies + run: npm ci + + - name: Rebuild the dist/ directory + run: npm run build + + - name: Check in any change to dist/ + run: | + git add dist/ + git config user.name github-actions + git config user.email github-actions@github.com + git commit -m "[dependabot skip] Update dist/ with build changes" || exit 0 + git push From a5e702392a6fae529d026b0b74e5142cfe3bbba8 Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Tue, 19 Apr 2022 18:35:59 +0100 Subject: [PATCH 5/7] Use a single automation PAT --- .github/workflows/dependabot-auto-merge.yml | 4 ++-- .github/workflows/dependabot-build.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 418e6db9..cd67ab7f 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -9,7 +9,7 @@ jobs: if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} steps: - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Fetch metadata id: metadata @@ -19,4 +19,4 @@ jobs: run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} - GITHUB_TOKEN: ${{ secrets.AUTOMERGE_PAT }} + GITHUB_TOKEN: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }} diff --git a/.github/workflows/dependabot-build.yml b/.github/workflows/dependabot-build.yml index e4c03ded..52f56c05 100644 --- a/.github/workflows/dependabot-build.yml +++ b/.github/workflows/dependabot-build.yml @@ -33,7 +33,7 @@ jobs: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} - token: ${{ secrets.DEPENDABOT_AUTOBUILD }} + token: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }} - name: Read .nvmrc id: nvm From a20aed188f9c4b5898cb87397ef4a23af097701d Mon Sep 17 00:00:00 2001 From: Barry Gordon Date: Tue, 19 Apr 2022 18:38:37 +0100 Subject: [PATCH 6/7] Fix script path --- .github/workflows/check-dist.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index 9c2d8767..0b43e054 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -32,4 +32,4 @@ jobs: run: npm run build - name: Compare the expected and actual dist/ directories - run: script/check-diff + run: bin/check-diff From 221b2c09c5158818108a34d1879fc1ae136ecc68 Mon Sep 17 00:00:00 2001 From: Barry Gordon <896971+brrygrdn@users.noreply.github.com> Date: Tue, 19 Apr 2022 20:01:37 +0100 Subject: [PATCH 7/7] Prefer npm to NPM Co-authored-by: Jurre --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 21c8414d..d0e93b3b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,7 +26,7 @@ jobs: with: node-version: ${{ steps.nvm.outputs.NVMRC }} - - name: Install NPM dependencies + - name: Install npm dependencies run: npm ci - name: Run linter