feat: add process-dependabot-reusable workflow (Bash-based alternative)
#419
Conversation
…ive) This PR introduces a **reusable GitHub Actions workflow**, `process-dependabot-reusable`, designed to streamline the handling of Dependabot pull requests across repositories — implemented entirely with **shell scripts**. This serves as a Bash-based alternative to #418, which uses TypeScript. ### 🔄 Key Differences from #418 * **Trigger**: Runs on `pull_request_target` (not `push`), which is required by the `dependabot/fetch-metadata` action. * **Implementation**: Written using **standard POSIX tools** with a few dependencies: * **`bash`** – some Bash-specific constructs are used * **`jq`** – for processing JSON output from `dependabot/fetch-metadata` * **`xmlstarlet`** – for parsing `pom.xml` and generating a changelog XML file * **`git`** – to commit and push any changes * **`gh`** – to enable "auto-merge" on the pull request This approach avoids the Node.js/TypeScript toolchain and relies only on standard CLI tools commonly available in CI environments.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
The `apt` command is not recommended for scripting.
|
After running some tests, I identified the following limitations with this workflow stemming from the use of
|
This change splits the Dependabot automation into two reusable workflows: * **Unprivileged workflow** (`analyze-dependabot-reusable`): Runs on `pull_request` with no permissions. It analyzes Dependabot PRs and generates metadata safely. * **Privileged workflow** (`process-dependabot-reusable`): Uses the metadata from the unprivileged step to generate changelog files and enable the "auto-merge" option. Requires access to our GPG key and Personal Access Token.
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new Bash-based reusable GitHub Actions workflow for processing Dependabot pull requests and a complementary workflow for analyzing them.
- Introduces the process-dependabot-reusable workflow that generates changelog entries and enables auto-merge.
- Splits the workflow into two parts (analyze and process) and updates related documentation and examples.
- Adds an XML changelog entry and updates workflow examples to reflect the new structure.
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/site/antora/modules/ROOT/pages/workflows.adoc | Updates documentation to include examples and explanations for the new workflows. |
| src/site/antora/modules/ROOT/examples/process-dependabot.yaml | Provides an example usage of the new process workflow. |
| src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml | Provides an example usage of the new analyze workflow. |
| src/changelog/.12.x.x/add-deploy-profile.xml | Adds a changelog entry documenting the addition of the new workflow. |
| .github/workflows/process-dependabot-reusable.yaml | Implements the workflow that generates changelog entries and enables auto-merge for Dependabot PRs. |
| .github/workflows/analyze-dependabot-reusable.yaml | Implements the workflow to analyze Dependabot PRs and prepare metadata for processing. |
Comments suppressed due to low confidence (2)
.github/workflows/process-dependabot-reusable.yaml:168
- Consider using the PR_URL extracted earlier from the fetched metadata (set in GITHUB_ENV) instead of relying on github.event.pull_request.html_url to ensure consistency across the workflow.
PR_URL: ${{ github.event.pull_request.html_url }}
.github/workflows/process-dependabot-reusable.yaml:104
- [nitpick] The indentation of the 'exit 1' statement (line 106) is inconsistent with the block structure; aligning it with the preceding echo statement will improve readability.
if [[ ! $revision =~ ^[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT)?$ ]]; then
This PR introduces a reusable GitHub Actions workflow,
process-dependabot-reusable, designed to streamline the handling of Dependabot pull requests across repositories — implemented entirely with shell scripts.This serves as a Bash-based alternative to #418, which uses TypeScript.
🔄 Key Differences from #418
Trigger: Runs on
pull_request_target(notpush), which is required by thedependabot/fetch-metadataaction.Implementation: Written using standard POSIX tools with a few dependencies:
bash– some Bash-specific constructs are usedjq– for processing JSON output fromdependabot/fetch-metadataxmlstarlet– for parsingpom.xmland generating a changelog XML filegit– to commit and push any changesgh– to enable "auto-merge" on the pull requestThis approach avoids the Node.js/TypeScript toolchain and relies only on standard CLI tools commonly available in CI environments.
Updated version
The updated version of this PR splits the workflow into two parts:
Unprivileged workflow (
analyze-dependabot-reusable):Runs on
pull_requestwith no permissions. It analyzes Dependabot PRs and generates metadata safely.Privileged workflow (
process-dependabot-reusable):Uses the metadata from the unprivileged step to generate changelog files and enable the "auto-merge" option. Requires access to our GPG key and Personal Access Token.