Skip to content

Commit 5476510

Browse files
authored
ci(dependabot-side-effects): auto dedupe dependencies [AR-55391] (drivenets#535)
1 parent df50bb4 commit 5476510

3 files changed

Lines changed: 56 additions & 46 deletions

File tree

.github/scripts/generate-dependabot-changeset.ts

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,5 @@
11
import path from 'node:path';
22
import fs from 'node:fs/promises';
3-
import { promisify } from 'node:util';
4-
import { exec } from 'node:child_process';
53
import * as oxfmt from 'oxfmt';
64
import * as git from '@changesets/git';
75
import getChangesets from '@changesets/read';
@@ -11,8 +9,6 @@ import { shouldSkipPackage } from '@changesets/should-skip-package';
119
import oxfmtConfig from '../../.oxfmtrc.json' with { type: 'json' };
1210
import changesetConfig from '../../.changeset/config.json' with { type: 'json' };
1311

14-
const execAsync = promisify(exec);
15-
1612
const BASE_BRANCH = 'origin/' + changesetConfig.baseBranch;
1713
const ROOT_DIR = path.resolve(import.meta.dirname, '../../');
1814

@@ -50,11 +46,6 @@ await formatChangeset(changesetId);
5046

5147
console.log('Added new changeset');
5248

53-
await git.add('-A', ROOT_DIR);
54-
await git.commit('chore: update changeset', ROOT_DIR);
55-
56-
await execAsync('git push', { cwd: ROOT_DIR });
57-
5849
async function getExistingChangeset() {
5950
return (await getChangesets(ROOT_DIR, BASE_BRANCH)).find(
6051
(changeset) => changeset.summary === newChangeset.summary,

.github/workflows/dependabot-changeset.yml

Lines changed: 0 additions & 37 deletions
This file was deleted.
Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
# This workflow should run only for Dependabot PRs, so we can safely use `pull_request` trigger instead of
2+
# `pull_request_target` and have access to the secrets.
3+
#
4+
# If an attacker edits this workflow and removes the Dependabot condition, it should still be safe because
5+
# the workflow will run in the fork context and won't have access to secrets.
6+
name: Dependabot Side Effects
7+
8+
on: pull_request
9+
10+
permissions: {}
11+
12+
concurrency:
13+
group: '${{ github.workflow }} @ ${{ github.event.pull_request.number }}'
14+
cancel-in-progress: true
15+
16+
jobs:
17+
run:
18+
name: Run
19+
if: github.event.pull_request.user.login == 'dependabot[bot]'
20+
21+
runs-on: ubuntu-latest
22+
23+
steps:
24+
- name: Checkout source code # zizmor: ignore[artipacked] Need persisted token to commit the changes.
25+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
26+
with:
27+
fetch-depth: 0
28+
ref: ${{ github.head_ref }}
29+
ssh-key: ${{ secrets.DEPLOY_KEY }}
30+
31+
- name: Install Dependencies
32+
uses: ./.github/actions/install
33+
34+
- name: Configure git user
35+
run: |
36+
git config user.name 'github-actions[bot]'
37+
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
38+
39+
- name: Generate changeset
40+
# Generate changeset only for production dependencies changes.
41+
if: startsWith(github.head_ref, 'dependabot/npm_and_yarn/npm-production-')
42+
run: |
43+
node .github/scripts/generate-dependabot-changeset.ts
44+
45+
git add -A
46+
git commit -m "chore: update changeset" -n || echo "No changeset to commit"
47+
48+
- name: Deduplicate Dependencies
49+
run: |
50+
pnpm dedupe
51+
52+
git add -A
53+
git commit -m "chore: deduplicate dependencies" -n || echo "No deduplication to commit"
54+
55+
- name: Push Changes
56+
run: git push

0 commit comments

Comments
 (0)