CI: Check for dependency updates automatically #2777
Conversation
This currently covers: - aqt - Qt6 - choco-jack - choco-jom - NSIS - ASIO-SDK Related: jamulussoftware#2346
|
Generated a new ed25519 keypair, added the private key as repository secret, added the public key as deploy key with write permissions. I've destroyed my local copy of the key. It is not needed. I don't think we can easily access the private key again, but we shouldn't have to. If something changes, we'll just generate a new one and change the public key. |
|
... and it did work: #2787 |
There's an error on master. |
|
Yep, I've seen it and I'm currently looking into it. Might be permission-related, but I'm not yet sure why. |
|
I guess |
|
Meh, I can't reproduce it on my repo. I think the issue is that we use organization-scoped project boards and that the |
The workflow got permission errors from the Github API when trying to edit existing PRs which had already been added to an organization project. The reason for this is that the GITHUB_TOKEN of the run is scoped to the repo, but `gh edit` tries to fetch all fields of a PR which includes the inaccessible organization project field. Therefore, use `gh api` instead which can be used in a more fine-grained way. Fixes: jamulussoftware#2777 (comment)
That was it, indeed. Using the API directly avoids this problem. See #2801. Let's continue further discussion over there. |
The workflow got permission errors from the Github API when trying to edit existing PRs which had already been added to an organization project. The reason for this is that the GITHUB_TOKEN of the run is scoped to the repo, but `gh edit` tries to fetch all fields of a PR which includes the inaccessible organization project field. Therefore, use `gh api` instead which can be used in a more fine-grained way. Fixes: jamulussoftware#2777 (comment)
Short description of changes
This PR adds a workflow which automatically checks many of our pinned third-party dependencies which cannot be handled easily by dependabot. It currently covers:
(The logs are from runs on my repo which had artificially been made outdated regarding all supported components before)
If an update is found, a PR is submitted automatically. The workflow automatically runs once per week (Saturdays).
Upon merge or close of the PR, the branch is deletec automatically.
PRs are updated automatically if
masterchanges and there is a risk of conflicts.The workflow has been made re-usable and uses a matrix to check the different targets, so it should be somewhat easy to extend (once one has come up with a proper regexp...).
The workflow does not handle most of the Android pinnings (haven't looked into it so far).
It does not handle submodules yet (dependabot supports them, but not based on releases/tags, it seems).
It does not handle pinned Github Actions, as those should be compatible with
CHANGELOG: Internal: Enabled automated dependency updates via dependabot and custom automation
Context: Fixes an issue?
Related: #2346
Does this change need documentation? What needs to be documented and how?
It mostly needs inline documentation to avoid accidential breakage during future refactorings. This documentation in the form of comments is included in this PR.
Status of this Pull Request
Ready for review.
What is missing until this pull request can be merged?
(The deploy key is necessary as the workflow is not allowed to modify .github/workflows/ by itself, even in a PR; it's also necessary to ensure proper Checks/Autobuilds on those bot-submitted PRs)
Checklist