Skip to content

Commit

Permalink
Merge branch 'main' into fix-get-info-for-library
Browse files Browse the repository at this point in the history
  • Loading branch information
kachick authored Jan 18, 2023
2 parents f45919f + 6b3627f commit cf0e979
Show file tree
Hide file tree
Showing 13 changed files with 3,324 additions and 1,354 deletions.
1 change: 1 addition & 0 deletions .npmrc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
engine-strict=true
61 changes: 52 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
<p align="center">
<img src="https://s3.eu-west-2.amazonaws.com/dependabot-images/logo-with-name-horizontal.svg?v5" alt="Dependabot" width="336">
</p>
<h1 align="center">
<picture>
<source media="(prefers-color-scheme: light)" srcset="https://user-images.githubusercontent.com/7659/174594540-5e29e523-396a-465b-9a6e-6cab5b15a568.svg">
<source media="(prefers-color-scheme: dark)" srcset="https://user-images.githubusercontent.com/7659/174594559-0b3ddaa7-e75b-4f10-9dee-b51431a9fd4c.svg">
<img src="https://user-images.githubusercontent.com/7659/174594540-5e29e523-396a-465b-9a6e-6cab5b15a568.svg" alt="Dependabot" width="336">
</picture>
</h1>

# Fetch Metadata Action

Expand All @@ -10,7 +14,7 @@ Extract information about the dependencies being updated by a Dependabot-generat

## Usage instructions

Create a workflow file that contains a step that uses: `dependabot/fetch-metadata@v1.3.1`, e.g.
Create a workflow file that contains a step that uses: `dependabot/fetch-metadata@v1`, e.g.

```yaml
-- .github/workflows/dependabot-prs.yml
Expand All @@ -22,7 +26,7 @@ jobs:
steps:
- name: Fetch Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1.3.1
uses: dependabot/fetch-metadata@v1
with:
alert-lookup: true
compat-lookup: true
Expand All @@ -41,6 +45,9 @@ Supported inputs are:
- `compat-lookup` (boolean)
- If `true`, then populate the `compatibility-score` output.
- Defaults to `false`
- `skip-commit-verification` (boolean)
- If `true`, then the action will not expect the commits to have a verification signature. **It is required to set this to 'true' in GitHub Enterprise Server**
- Defaults to `false`

Subsequent actions will have access to the following outputs:

Expand Down Expand Up @@ -95,7 +102,7 @@ jobs:
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1.3.1
uses: dependabot/fetch-metadata@v1
- uses: actions/checkout@v3
- name: Approve a PR if not already approved
run: |
Expand Down Expand Up @@ -129,13 +136,13 @@ jobs:
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1.3.1
uses: dependabot/fetch-metadata@v1
- name: Enable auto-merge for Dependabot PRs
if: ${{contains(steps.dependabot-metadata.outputs.dependency-names, 'rails') && steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}}
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.PAT_TOKEN}}
GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
```
### Labelling
Expand All @@ -158,11 +165,47 @@ jobs:
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1.3.1
uses: dependabot/fetch-metadata@v1
- name: Add a label for all production dependencies
if: ${{ steps.dependabot-metadata.outputs.dependency-type == 'direct:production' }}
run: gh pr edit "$PR_URL" --add-label "production"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
```
## Notes for project maintainers:
<details><summary>:book: Release guide</summary>
<p>
- Dependabot PR's:
- We expect Dependabot PRs to be passing CI and have any changes to the `dist/` folder built for production dependencies
- Some development dependencies may fail the `dist/` check if they modify the Typescript compilation, these should be updated manually via `npm run build`. See the [`dependabot-build`](https://github.com/dependabot/fetch-metadata/blob/main/.github/workflows/dependabot-build.yml) action for details.
- Checkout and update `main`, then generate a patch release branch
```bash
git checkout main
git pull
bin/bump-version -p patch
```
- Generate a draft release for your new version
```bash
gh release create v1.X.X --generate-notes --draft
> https://github.com/dependabot/fetch-metadata/releases/tag/untagged-XXXXXX
```
- Create a PR linking to the release notes for review
```bash
gh pr create --title "v1.X.X Release Notes" --body "https://github.com/dependabot/fetch-metadata/releases/tag/untagged-XXXXXX"
```
- Copy the release notes from the draft release to the PR description. This is optional, but looks much nicer than a bare URL.
- Merge the PR after getting it reviewed
- Publish the draft release found at https://github.com/dependabot/fetch-metadata/releases/tag/untagged-XXXXXX
- Update the `v1` tracking tag to point to the new version
```bash
git fetch --all --tags
git checkout v1.x.x # Check out the release tag
git tag -f v1 # Force update the tracking tag
git push -f --tags
```
</p>
</details>
6 changes: 5 additions & 1 deletion action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ inputs:
github-token:
description: 'The GITHUB_TOKEN secret'
default: ${{ github.token }}
skip-commit-verification:
type: boolean
description: 'If true, the action will not expect Dependabot commits to be verified. This should be set as `true` in GHES environments.'
default: false
outputs:
dependency-names:
description: 'A comma-separated list of all package names updated.'
Expand Down Expand Up @@ -41,5 +45,5 @@ outputs:
compatibility-score:
description: 'If this PR has a known compatibility score and `compat-lookup` is `true`, this contains the compatibility score (otherwise it contains 0).'
runs:
using: 'node12'
using: 'node16'
main: 'dist/index.js'
4 changes: 1 addition & 3 deletions bin/bump-version
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,7 @@ fi

new_version=$(npm version "${patch_level}" --no-git-tag-version)
git checkout -b "${new_version}"-release-notes
sed -i.bak "s|dependabot/fetch-metadata@v[0-9.]*|dependabot/fetch-metadata@${new_version}|g" "README.md"
rm README.md.bak
git add package.json package-lock.json README.md
git add package.json package-lock.json
git commit -m "${new_version}"

echo "Branch prepared for ${new_version}"
Loading

0 comments on commit cf0e979

Please sign in to comment.