Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set up an auto-update workflow for gha.sum on Pull Requests from Dependabot #44

Merged
merged 1 commit into from
Mar 23, 2024

Conversation

ericcornelissen
Copy link
Collaborator

@ericcornelissen ericcornelissen commented Mar 22, 2024

Relates to #9

Summary

Create a GitHub Actions workflow that automatically updates the checksums in gha.sum for Pull Requests by Dependabot that update a GitHub Action (as identified by branches: dependabot/github_actions/**).

@ericcornelissen ericcornelissen added ci/cd Relates to ci/cd dependencies Changes to the project's dependencies labels Mar 22, 2024
Create a GitHub Actions workflow that automatically updates the
checksums in gha.sum for Pull Requests by Dependabot that update a
GitHub Action (leveraging `branches: dependabot/github_actions/**`).

This workflow utilizes a bot to be able to push the changes as well as
cause the created commit to trigger CI workflows. The secret it utilizes
must be configured for Dependabot (go to repository Settings > Secrets
and variables > Dependabot). The bot also requires permissions to "Read
and write" for the "Repository permissions" category called "Workflows".

The `if: ${{ github.actor == 'dependabot[bot]' }}` condition ensures the
workflow isn't (re-)run for the commit it creates. Besides avoiding a
potential infinite loop, it also avoids an error due to the (Dependabot
scoped) secrets not being available.

This change introduces two new GitHub Actions dependencies. One is used
to generate an access token from a GitHub app  The other is used to
simplify the creation and pushing of a commit to the Pull Request
branch.
@ericcornelissen
Copy link
Collaborator Author

This approach utilizes a bot1 to be able to push the changes as well as cause the created commit to trigger CI workflows. The secret it utilizes must be configured for Dependabot (go to repository Settings > Secrets and variables > Dependabot). The bot also requires permissions to "Read and write" for the "Repository permissions" category called "Workflows".

The if: ${{ github.actor == 'dependabot[bot]' }} condition ensures the workflow isn't (re-)run for the commit it creates. Besides avoiding a potential infinite loop, it also avoids an error due to the (Dependabot scoped) secrets not being available.

Footnotes

  1. In particular a GitHub App.

@ericcornelissen ericcornelissen marked this pull request as ready for review March 23, 2024 11:54
@ericcornelissen ericcornelissen merged commit 3b24b44 into main Mar 23, 2024
9 checks passed
@ericcornelissen ericcornelissen deleted the auto-update-checksums branch March 23, 2024 11:54
@ericcornelissen
Copy link
Collaborator Author

Note: this worked successfully in #47

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ci/cd Relates to ci/cd dependencies Changes to the project's dependencies
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant