Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable dependabot automatic updates #630

Merged
merged 3 commits into from
Jul 26, 2021
Merged

Enable dependabot automatic updates #630

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e145aa4
Enable dependabot automatic updates
edoardopirovano Jul 26, 2021
934fb86
Address PR comments from @robertbrignull
edoardopirovano Jul 26, 2021
554f1b3
Address further PR comment
edoardopirovano Jul 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/depandabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "thursday" # Gives us a working day to merge this before our typical release
labels:
- "Update dependencies"
37 changes: 37 additions & 0 deletions .github/workflows/update-dependencies.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: Update dependencies
on:
pull_request:
robertbrignull marked this conversation as resolved.
Show resolved Hide resolved

jobs:
update:
name: Update dependencies
runs-on: macos-latest
robertbrignull marked this conversation as resolved.
Show resolved Hide resolved
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies')
steps:
- name: Checkout repository
uses: actions/checkout@v2

- name: Remove PR label
robertbrignull marked this conversation as resolved.
Show resolved Hide resolved
env:
REPOSITORY: '${{ github.repository }}'
PR_NUMBER: '${{ github.event.pull_request.number }}'
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
run: |
gh api "repos/$REPOSITORY/issues/$PR_NUMBER/labels/Update%20dependencies" -X DELETE

- name: Push updated dependencies
env:
BRANCH: '${{ github.head_ref }}'
run: |
git fetch
git checkout $BRANCH
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised this works. I thought you'd have to add fetch-depth: 0 to the actions/checkout call, otherwise it makes a shallow checkout.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works and was previously necessary when I had just git push because unlike the actions/checkout call which checks out a detached HEAD the above actually checks out the branch and lets us push to it. Now that we've specified the branch in push I think we could use actions/checkout but I think leaving this is also okay (and might avoid someone confusion in the future about why just push doesn't work if they ever change it back).

sudo npm install --force -g npm@latest
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just an open question of is using latest better than using what's on the actions VMs. They come with something pretty modern anyway, and it may be more stable than going with the latest. Although I assume this is still the latest released version and not true bleeding edge, so it's probably fine either way.

Whatever we do here, it should match the NPM version used in https://github.com/github/codeql-action/blob/main/.github/workflows/pr-checks.yml

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was actually unfortunately necessary because the version in the Actions VM is old enough that it uses v1 of the lockfile and cannot do npm install correctly with the v2 lockfile that is checked in. This isn't necessary for the PR checks there because they do not actually do npm install and the other npm commands are forwards-compatible with the new lockfiles, but I agree for consistency we should probably use the same version there - I will update this. Indeed @latest is the latest stable release rather than the bleeding edge pre-release version which is @next.

npm install
npm ci
npm run removeNPMAbsolutePaths
git config --global user.email "[email protected]"
git config --global user.name "github-actions[bot]"
git add node_modules
git commit -am "Update checked-in dependencies"
robertbrignull marked this conversation as resolved.
Show resolved Hide resolved
git push
robertbrignull marked this conversation as resolved.
Show resolved Hide resolved