diff --git a/.github/workflows/auto_merge.yml b/.github/workflows/auto_merge.yml index 509ff888..9ef00ec0 100644 --- a/.github/workflows/auto_merge.yml +++ b/.github/workflows/auto_merge.yml @@ -22,46 +22,29 @@ on: # Success statuses can unblock the corresponding # pull requests and make them mergeable. status: {} + workflow_run: + workflows: [approve_and_label] + types: + - completed + +permissions: + contents: write + pull-requests: write + issues: write + checks: read jobs: - check_pr_from_fork: - name: Check PR from fork - runs-on: ubuntu-18.04 - outputs: - is_forked_pr: ${{ steps.check_pr_source.outputs.result }} - steps: - - name: Check PR source - id: check_pr_source - uses: actions/github-script@v2 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - # For PR-based events returns 'true' when the HEAD originates from a forked repo - # We do this to avoid security issues - script: | - return ( !(context.payload.pull_request) ? false : ( - context.payload.pull_request.head.repo.full_name !== context.payload.pull_request.base.repo.full_name) - ); auto_merge: name: Auto-squash the PR runs-on: ubuntu-18.04 - # Don't run when the triggering event originates from a forked repos - needs: check_pr_from_fork - if: | - needs.check_pr_from_fork.outputs.is_forked_pr == 'false' steps: - - name: Generate token - id: generate_token - uses: tibdex/github-app-token@v1 - with: - app_id: ${{ secrets.ENDJIN_BOT_APP_ID }} - private_key: ${{ secrets.ENDJIN_BOT_PRIVATE_KEY }} # This may not be strictly required, but should keep unmerged, closed PRs cleaner - name: Remove 'autosquash' label from closed PRs id: remove_autosquash_label_from_closed_prs uses: actions/github-script@v2 with: - github-token: '${{ steps.generate_token.outputs.token }}' + github-token: '${{ secrets.GITHUB_TOKEN }}' script: | const pulls = await github.search.issuesAndPullRequests({ q: 'is:pr is:closed label:autosquash', @@ -80,6 +63,6 @@ jobs: name: 'autosquash' }); } - - uses: endjin/autosquash@v2.2 + - uses: endjin/autosquash@v2.4 with: - github_token: '${{ steps.generate_token.outputs.token }}' \ No newline at end of file + github_token: '${{ secrets.GITHUB_TOKEN }}' \ No newline at end of file diff --git a/.github/workflows/dependabot_approve_and_label.yml b/.github/workflows/dependabot_approve_and_label.yml index 42d7ff2c..03c7d237 100644 --- a/.github/workflows/dependabot_approve_and_label.yml +++ b/.github/workflows/dependabot_approve_and_label.yml @@ -3,6 +3,10 @@ on: pull_request: types: [opened, reopened] +permissions: + issues: write + pull-requests: write + jobs: evaluate_dependabot_pr: runs-on: ubuntu-latest @@ -42,7 +46,7 @@ jobs: echo "is_interesting_package (merge) : ${{ steps.parse_dependabot_pr_automerge.outputs.is_interesting_package }}" echo "is_interesting_package (release) : ${{ steps.parse_dependabot_pr_autorelease.outputs.is_interesting_package }}" echo "semver_increment : ${{ steps.parse_dependabot_pr_automerge.outputs.semver_increment }}" - + approve: runs-on: ubuntu-latest needs: evaluate_dependabot_pr @@ -62,19 +66,13 @@ jobs: echo "to_version : ${{needs.evaluate_dependabot_pr.outputs.version_to}}" echo "<------------------------------------------------>" shell: bash - - name: Generate token - id: generate_token - uses: tibdex/github-app-token@v1 - with: - app_id: ${{ secrets.ENDJIN_BOT_APP_ID }} - private_key: ${{ secrets.ENDJIN_BOT_PRIVATE_KEY }} - name: Approve pull request if: | needs.evaluate_dependabot_pr.outputs.is_auto_merge_candidate == 'True' && (needs.evaluate_dependabot_pr.outputs.semver_increment == 'minor' || needs.evaluate_dependabot_pr.outputs.semver_increment == 'patch') uses: andrewmusgrave/automatic-pull-request-review@0.0.2 with: - repo-token: '${{ steps.generate_token.outputs.token }}' + repo-token: '${{ secrets.GITHUB_TOKEN }}' event: APPROVE body: 'Thank you dependabot 🎊' - name: 'Update PR body' @@ -83,7 +81,7 @@ jobs: (needs.evaluate_dependabot_pr.outputs.semver_increment == 'minor' || needs.evaluate_dependabot_pr.outputs.semver_increment == 'patch') uses: actions/github-script@v2 with: - github-token: '${{ steps.generate_token.outputs.token }}' + github-token: '${{ secrets.GITHUB_TOKEN }}' script: | await github.pulls.update({ owner: context.payload.repository.owner.login, @@ -91,18 +89,11 @@ jobs: pull_number: context.payload.pull_request.number, body: "Bumps '${{needs.evaluate_dependabot_pr.outputs.dependency_name}}' from ${{needs.evaluate_dependabot_pr.outputs.version_from}} to ${{needs.evaluate_dependabot_pr.outputs.version_to}}" }) - label: runs-on: ubuntu-latest needs: evaluate_dependabot_pr name: Label steps: - - name: Generate token - id: generate_token - uses: tibdex/github-app-token@v1 - with: - app_id: ${{ secrets.ENDJIN_BOT_APP_ID }} - private_key: ${{ secrets.ENDJIN_BOT_PRIVATE_KEY }} - name: 'Label auto-mergeable dependabot PRs with "autosquash"' if: | (github.actor == 'dependabot[bot]' || github.actor == 'dependjinbot[bot]' || github.actor == 'nektos/act') && @@ -110,7 +101,7 @@ jobs: (needs.evaluate_dependabot_pr.outputs.semver_increment == 'minor' || needs.evaluate_dependabot_pr.outputs.semver_increment == 'patch') uses: actions/github-script@v2 with: - github-token: '${{ steps.generate_token.outputs.token }}' + github-token: '${{ secrets.GITHUB_TOKEN }}' script: | await github.issues.addLabels({ owner: context.payload.repository.owner.login,