Dependabot updates run monthly and attempt to auto-compile dist/

.github/dependabot.yml

@@ -1,6 +1,10 @@
 version: 2
 updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"

.github/workflows/check-dist.yml

@@ -0,0 +1,35 @@
+name: Check dist
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - 'releases/*'
+
+jobs:
+  verify-build: # make sure the checked in dist/ folder matches the output of a rebuild
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Read .nvmrc
+        id: nvm
+        run: echo ::set-output name=NVMRC::$(cat .nvmrc)
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ steps.nvm.outputs.NVMRC }}
+
+      - name: Install NPM dependencies
+        run: npm ci
+
+      - name: Rebuild the dist/ directory
+        run: npm run build
+
+      - name: Compare the expected and actual dist/ directories
+        run: bin/check-diff

.github/workflows/ci.yml

@@ -13,22 +13,24 @@ jobs:
     name: CI
     runs-on: ubuntu-latest
     steps:
-    - name: Check out code
-      uses: actions/checkout@v2
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+
+    - name: Read .nvmrc
+      id: nvm
+      run: echo ::set-output name=NVMRC::$(cat .nvmrc)
 
-    - name: Setup nodejs
-      uses: actions/setup-node@v2
+    - name: Setup Node.js
+      uses: actions/setup-node@v3
       with:
-        node-version: '16'
+        node-version: ${{ steps.nvm.outputs.NVMRC }}
 
-    - name: Install dependencies
+    - name: Install npm dependencies
       run: npm ci
 
     - name: Run linter
       run: npm run lint
 
     - name: Run tests
       run: npm test
-
-    - name: Verify the build artefact is updated
-      run: npm run build && git diff --quiet

.github/workflows/dependabot-auto-merge.yml

@@ -9,7 +9,7 @@ jobs:
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Fetch metadata
         id: metadata
@@ -19,4 +19,4 @@ jobs:
         run: gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.AUTOMERGE_PAT }}
+          GITHUB_TOKEN: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}

.github/workflows/dependabot-build.yml

@@ -0,0 +1,59 @@
+name: Compile dependabot updates
+
+on:
+  pull_request:
+
+permissions:
+  pull-requests: write
+  contents: write
+jobs:
+  fetch-dependabot-metadata:
+    runs-on: ubuntu-latest
+    # We only want to check the metadata on pull_request events from Dependabot itself,
+    # any subsequent pushes to the PR should just skip this step so we don't go into
+    # a loop on commits created by the `build-dependabot-changes` job
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    # Map the step output to a job output for subsequent jobs
+    outputs:
+      dependency-type: ${{ steps.dependabot-metadata.outputs.dependency-type }}
+      package-ecosystem: ${{ steps.dependabot-metadata.outputs.package-ecosystem }}
+    steps:
+      - name: Fetch dependabot metadata
+        id: dependabot-metadata
+        uses: ./
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+  build-dependabot-changes:
+    runs-on: ubuntu-latest
+    needs: [fetch-dependabot-metadata]
+    # We only need to build the dist/ folder if the PR relates a production NPM dependency, otherwise we don't expect changes.
+    if: needs.fetch-dependabot-metadata.output.package-ecosystem == 'npm_and_yarn' && needs.fetch-dependabot-metadata.outputs.dependency-type == 'direct:production'
+    steps:
+      # Check out using a PAT so any pushed changes will trigger checkruns
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          token: ${{ secrets.DEPENDABOT_AUTOMATION_PAT }}
+
+      - name: Read .nvmrc
+        id: nvm
+        run: echo ::set-output name=NVMRC::$(cat .nvmrc)
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ steps.nvm.outputs.NVMRC }}
+
+      - name: Install NPM dependencies
+        run: npm ci
+
+      - name: Rebuild the dist/ directory
+        run: npm run build
+
+      - name: Check in any change to dist/
+        run: |
+          git add dist/
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+          git commit -m "[dependabot skip] Update dist/ with build changes" || exit 0
+          git push

bin/bump-version

@@ -22,7 +22,8 @@ fi
 
 new_version=$(npm version "${patch_level}" --no-git-tag-version)
 git checkout -b "${new_version}"-release-notes
-sed -i "s|dependabot/fetch-metadata@v[0-9.]*|dependabot/fetch-metadata@${new_version}|g" README.md
+sed -i.bak "s|dependabot/fetch-metadata@v[0-9.]*|dependabot/fetch-metadata@v${new_version}|g" "README.md"
+rm README.md.bak
 git add package.json package-lock.json README.md
 git commit -m "${new_version}"
 

bin/check-diff

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Make sure we notice any untracked files generated by the build
+git add --intent-to-add .
+git diff --quiet dist/
+retVal=$?
+if [ $retVal -ne 0 ]; then
+  echo "Detected uncommitted changes after build:"
+  git --no-pager diff dist/
+  exit 1
+fi