shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e99f7171e430950cc246b8edc9d50c893ac4b1cc
coder/.github/workflows/dependabot.yaml
T
Lukasz 06d7fc5200 feat: add dependabot security backport labels (#24484) 
Dependabot security update PRs should be backported with the workflow
added in #24025, but today they still rely on someone noticing and
adding the backport label manually.

This updates the dependabot workflow to add the existing backport label
automatically when a newly opened Dependabot PR looks like a security
fix, and it adjusts the Slack notification text so those PRs are called
out explicitly.
2026-04-23 08:58:53 +05:00

121 lines
4.2 KiB
YAML
Raw Blame History

name: dependabot
on:
pull_request:
types:
- opened
permissions:
contents: read
jobs:
dependabot-automerge:
runs-on: ubuntu-latest
if: >
github.event_name == 'pull_request' &&
github.event.action == 'opened' &&
github.event.pull_request.user.login == 'dependabot[bot]' &&
github.event.pull_request.user.id == 49699333 &&
github.repository == 'coder/coder'
permissions:
pull-requests: write
contents: write
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v3.0.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
alert-lookup: true
- name: Add backport label to security updates
id: security_backport
if: >-
${{
steps.metadata.outputs.alert-state != '' &&
!contains(github.event.pull_request.labels.*.name, 'backport')
}}
run: |
set -euo pipefail
echo "Adding backport label to security update PR $PR_URL"
gh pr edit "$PR_URL" --add-label backport
echo "added=true" >> "$GITHUB_OUTPUT"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Approve the PR
if: steps.metadata.outputs.package-ecosystem != 'github-actions'
run: |
echo "Approving $PR_URL"
gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Enable auto-merge
if: steps.metadata.outputs.package-ecosystem != 'github-actions'
run: |
echo "Enabling auto-merge for $PR_URL"
gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Send Slack notification
run: |
if [ "$SECURITY_BACKPORT" = "true" ] && [ "$PACKAGE_ECOSYSTEM" = "github-actions" ]; then
STATUS_TEXT=":rotating_light: Dependabot opened security PR #${PR_NUMBER} and added the backport label (GitHub Actions changes are not auto-merged)"
elif [ "$SECURITY_BACKPORT" = "true" ]; then
STATUS_TEXT=":rotating_light: Auto merge enabled for Dependabot security PR #${PR_NUMBER}; backport label added"
elif [ "$PACKAGE_ECOSYSTEM" = "github-actions" ]; then
STATUS_TEXT=":pr-opened: Dependabot opened PR #${PR_NUMBER} (GitHub Actions changes are not auto-merged)"
else
STATUS_TEXT=":pr-merged: Auto merge enabled for Dependabot PR #${PR_NUMBER}"
fi
curl -X POST -H 'Content-type: application/json' \
--data '{
"username": "dependabot",
"icon_url": "https://avatars.githubusercontent.com/u/27347476",
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "'"${STATUS_TEXT}"'",
"emoji": true
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "'"${PR_TITLE}"'"
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "View PR"
},
"url": "'"${PR_URL}"'"
}
]
}
]
}' "${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }}"
env:
SLACK_WEBHOOK: ${{ secrets.DEPENDABOT_PRS_SLACK_WEBHOOK }}
PACKAGE_ECOSYSTEM: ${{ steps.metadata.outputs.package-ecosystem }}
SECURITY_BACKPORT: ${{ steps.security_backport.outputs.added || 'false' }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_TITLE: ${{ github.event.pull_request.title }}
PR_URL: ${{ github.event.pull_request.html_url }}
Reference in New Issue View Git Blame Copy Permalink