ci(workflows): add dependabot-dedupe

- dependabot/dependabot-core#5830 - partially replaces `dependabot-auto` Signed-off-by: Lexus Drumgold <unicornware@flexdevelopment.llc>
flex-development · Oct 22, 2023 · 8170104 · 8170104
1 parent d2cd2d5
commit 8170104
Show file tree

Hide file tree

Showing 8 changed files with 83 additions and 90 deletions.
diff --git a/.dictionary.txt b/.dictionary.txt
@@ -40,6 +40,7 @@ sortbrk
 sortcmt
 sortgrp
 stringafiable
+tohgarashi
 tryit
 tscu
 unstub

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,7 +8,7 @@
 version: 2
 registries:
   github:
-    token: ${{ secrets.PAT_BOT }}
+    token: ${{ secrets.PAT_REPO }}
     type: npm-registry
     url: https://npm.pkg.github.com
 updates:
@@ -22,7 +22,6 @@ updates:
       - type:ci
     reviewers:
       - flex-development/dependabot-review
-      - flexdevelopment
     schedule:
       interval: daily
   - package-ecosystem: npm
@@ -65,6 +64,5 @@ updates:
       - github
     reviewers:
       - flex-development/dependabot-review
-      - flexdevelopment
     schedule:
       interval: daily
diff --git a/.github/infrastructure.yml b/.github/infrastructure.yml
@@ -48,7 +48,7 @@ branches:
           - context: codecov/project/providers
             app_id: 254
           - context: commitlint
-          - context: dependabot-auto
+          - context: dependabot-dedupe
           - context: format
           - context: gitguardian
           - context: lint

diff --git a/.github/workflows/dependabot-auto.yml b/.github/workflows/dependabot-auto.yml
diff --git a/.github/workflows/dependabot-dedupe.yml b/.github/workflows/dependabot-dedupe.yml
@@ -0,0 +1,77 @@
+# Dependabot Dedupe
+#
+# Deduplicate dependencies for @dependabot.
+#
+# Note: This workflow can be removed once dependabot supports some type of automatic deduplication.
+# See https://github.com/dependabot/dependabot-core/issues/5830 for details.
+#
+# References:
+#
+# - https://docs.github.com/actions/learn-github-actions/contexts
+# - https://docs.github.com/actions/learn-github-actions/expressions
+# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
+# - https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
+# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
+# - https://github.com/actions/checkout
+# - https://github.com/actions/create-github-app-token
+# - https://github.com/actions/setup-node
+# - https://github.com/actions/setup-node/blob/main/docs/advanced-usage.md#yarn2-configuration
+# - https://github.com/hmarr/debug-action
+# - https://github.com/tohgarashi/verified-commit
+
+---
+name: dependabot-dedupe
+on:
+  push:
+    branches:
+      - dependabot/npm_and_yarn/**
+    paths:
+      - package.json
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+jobs:
+  dependabot-dedupe:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - id: debug
+        name: Print environment variables and event payload
+        uses: hmarr/debug-action@v2.1.0
+      - id: bot-token
+        name: Get bot token
+        uses: actions/create-github-app-token@v1.5.0
+        with:
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_PRIVATE_KEY }}
+      - id: checkout
+        name: Checkout ${{ github.ref_name }}
+        uses: actions/checkout@v4.1.1
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+          token: ${{ steps.bot-token.outputs.token }}
+      - id: node
+        name: Setup Node.js
+        uses: actions/setup-node@v3.8.1
+        with:
+          cache: yarn
+          cache-dependency-path: yarn.lock
+          node-version-file: .nvmrc
+      - id: dedupe
+        name: Deduplicate dependencies
+        env:
+          GITHUB_TOKEN: ${{ steps.bot-token.outputs.token }}
+          YARN_ENABLE_GLOBAL_CACHE: true
+          YARN_ENABLE_IMMUTABLE_INSTALLS: false
+          YARN_ENABLE_SCRIPTS: false
+        run: yarn dedupe --mode=update-lockfile
+      - id: commit
+        name: Commit and push yarn.lock
+        uses: tohgarashi/verified-commit@v2.1.0
+        env:
+          GH_TOKEN: ${{ steps.bot-token.outputs.token }}
+        with:
+          commit-message: 'build(yarn): [dependabot skip] deduplicate dependencies for @dependabot'
+          detect-changed: true
+          ref: ${{ github.ref }}
diff --git a/.npmrc b/.npmrc
@@ -1,5 +1,5 @@
 # https://docs.npmjs.com/cli/configuring-npm/npmrc
 
 @flex-development:registry=https://npm.pkg.github.com
-//npm.pkg.github.com/:_authToken=${PAT_BOT}
+//npm.pkg.github.com/:_authToken=${PAT_REPO}
 //npm.pkg.github.com/:always-auth=true
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -27,7 +27,7 @@ nodeLinker: node-modules
 npmScopes:
   flex-development:
     npmAlwaysAuth: true
-    npmAuthToken: ${GITHUB_TOKEN:-$PAT_BOT}
+    npmAuthToken: ${GITHUB_TOKEN:-$PAT_REPO}
     npmRegistryServer: https://npm.pkg.github.com
 
 patchFolder: ./patches

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -106,9 +106,8 @@ Follow the steps below to setup your local development environment:
 | `CODECOV_TOKEN`     |
 | `GITHUB_TOKEN`      |
 | `HOMEBREW_BREWFILE` |
-| `NODE_ENV`          |
 | `NODE_NO_WARNINGS`  |
-| `PAT_BOT`           |
+| `PAT_REPO`          |
 | `ZSH_DOTENV_FILE`   |
 
 #### GitHub Actions