diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..4e75b6d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,37 @@ +version: 2 + +registries: + github: + type: git + url: https://github.com + username: ${{secrets.GH_USER}} + password: ${{secrets.GH_TOKEN}} + +updates: + - package-ecosystem: "gomod" + directory: "/" + open-pull-requests-limit: 10 + commit-message: + prefix: "(AST-87115) Dependabot (Go) " + include: "scope" + pull-request-branch-name: + separator: "/" + registries: + - github + target-branch: "main" + groups: + all-go-modules: + patterns: + - "*" + labels: + - "bot" + - "dependencies" + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] + - dependency-name: "github.com/minio/console" + - dependency-name: "github.com/minio/minio" + schedule: + interval: "daily" + time: "05:00" + timezone: "UTC" diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..cb3d170 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,16 @@ +name: Dependabot Auto-Merge + +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + check_suite: + types: [completed] + +jobs: + dependabot-auto-merge: + uses: Checkmarx-Containers/containers-github-actions-workflows/.github/workflows/dependabot-auto-merge.yml@main + with: + service-name: ${{ github.event.repository.name }} + timeout-seconds: 2700 + auto-merge-major: true + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/dependabot-rebase-conflicts.yml b/.github/workflows/dependabot-rebase-conflicts.yml new file mode 100644 index 0000000..b56ec2d --- /dev/null +++ b/.github/workflows/dependabot-rebase-conflicts.yml @@ -0,0 +1,61 @@ +name: Dependabot Rebase Conflicts + +# Triggers: +# 1. push to main — a new commit may cause existing Dependabot PRs to conflict. +# 2. schedule — daily safety-net to catch anything missed by the push trigger. +on: + push: + branches: [main] + schedule: + - cron: "0 8 * * *" # 08:00 UTC, after Dependabot's daily 06:00 run + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + +jobs: + rebase-conflicts: + runs-on: ubuntu-latest + steps: + - name: Rebase conflicting Dependabot PRs + run: | + # GitHub computes mergeability asynchronously after a push — PRs may briefly + # show UNKNOWN before settling to CONFLICTING. We retry for up to 5 minutes + # to avoid false negatives on freshly-landed commits. + MAX_ATTEMPTS=10 + SLEEP_SECONDS=30 + + for attempt in $(seq 1 $MAX_ATTEMPTS); do + echo "Attempt $attempt/$MAX_ATTEMPTS — checking Dependabot PR mergeability..." + + pr_data=$(gh pr list \ + --repo "$GITHUB_REPOSITORY" \ + --author "app/dependabot" \ + --state open \ + --json number,title,mergeable) + + unknown=$(echo "$pr_data" | jq '[.[] | select(.mergeable == "UNKNOWN")] | length') + conflicting=$(echo "$pr_data" | jq -r '.[] | select(.mergeable == "CONFLICTING") | .number') + + if [ "$unknown" -gt 0 ] && [ "$attempt" -lt "$MAX_ATTEMPTS" ]; then + echo "$unknown PR(s) still have UNKNOWN mergeability — waiting ${SLEEP_SECONDS}s..." + sleep $SLEEP_SECONDS + continue + fi + + if [ -z "$conflicting" ]; then + echo "No conflicting Dependabot PRs found." + exit 0 + fi + + for pr in $conflicting; do + echo "Requesting rebase of conflicting Dependabot PR #$pr" + gh pr comment "$pr" \ + --repo "$GITHUB_REPOSITORY" \ + --body "@dependabot rebase" + done + exit 0 + done + env: + GH_TOKEN: ${{ github.token }} \ No newline at end of file