|
| 1 | +# This workflow should run only for Dependabot PRs, so we can safely use `pull_request` trigger instead of |
| 2 | +# `pull_request_target` and have access to the secrets. |
| 3 | +# |
| 4 | +# If an attacker edits this workflow and removes the Dependabot condition, it should still be safe because |
| 5 | +# the workflow will run in the fork context and won't have access to secrets. |
| 6 | +name: Dependabot Side Effects |
| 7 | + |
| 8 | +on: pull_request |
| 9 | + |
| 10 | +permissions: {} |
| 11 | + |
| 12 | +concurrency: |
| 13 | + group: '${{ github.workflow }} @ ${{ github.event.pull_request.number }}' |
| 14 | + cancel-in-progress: true |
| 15 | + |
| 16 | +jobs: |
| 17 | + run: |
| 18 | + name: Run |
| 19 | + if: github.event.pull_request.user.login == 'dependabot[bot]' |
| 20 | + |
| 21 | + runs-on: ubuntu-latest |
| 22 | + |
| 23 | + steps: |
| 24 | + - name: Checkout source code # zizmor: ignore[artipacked] Need persisted token to commit the changes. |
| 25 | + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
| 26 | + with: |
| 27 | + fetch-depth: 0 |
| 28 | + ref: ${{ github.head_ref }} |
| 29 | + ssh-key: ${{ secrets.DEPLOY_KEY }} |
| 30 | + |
| 31 | + - name: Install Dependencies |
| 32 | + uses: ./.github/actions/install |
| 33 | + |
| 34 | + - name: Configure git user |
| 35 | + run: | |
| 36 | + git config user.name 'github-actions[bot]' |
| 37 | + git config user.email '41898282+github-actions[bot]@users.noreply.github.com' |
| 38 | +
|
| 39 | + - name: Generate changeset |
| 40 | + # Generate changeset only for production dependencies changes. |
| 41 | + if: startsWith(github.head_ref, 'dependabot/npm_and_yarn/npm-production-') |
| 42 | + run: | |
| 43 | + node .github/scripts/generate-dependabot-changeset.ts |
| 44 | +
|
| 45 | + git add -A |
| 46 | + git commit -m "chore: update changeset" -n || echo "No changeset to commit" |
| 47 | +
|
| 48 | + - name: Deduplicate Dependencies |
| 49 | + run: | |
| 50 | + pnpm dedupe |
| 51 | +
|
| 52 | + git add -A |
| 53 | + git commit -m "chore: deduplicate dependencies" -n || echo "No deduplication to commit" |
| 54 | +
|
| 55 | + - name: Push Changes |
| 56 | + run: git push |
0 commit comments