From 1f5a02c3f0e67d38bc324c8a4007fe32049c2c09 Mon Sep 17 00:00:00 2001 From: Kamil Bukum Date: Fri, 6 Mar 2026 16:25:36 -0600 Subject: [PATCH 1/7] Allow selecting dependabot-core branch when regenerating smoke tests Add an optional 'core-branch' input to the Regenerate Test workflow that lets developers specify a dependabot-core branch name. The workflow resolves the branch to a commit SHA, maps the test name to the correct ecosystem image suffix, and passes --updater-image to the CLI. This enables developers to regenerate smoke tests against their dependabot-core PR before it merges to main. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/regenerate-test.yml | 86 +++++++++++++++++++++++++-- 1 file changed, 82 insertions(+), 4 deletions(-) diff --git a/.github/workflows/regenerate-test.yml b/.github/workflows/regenerate-test.yml index 684d3f5c..40a63239 100644 --- a/.github/workflows/regenerate-test.yml +++ b/.github/workflows/regenerate-test.yml @@ -1,4 +1,6 @@ -# Regenerates a single test file and creates a PR for review +# Regenerates a single test file and creates a PR for review. +# Optionally accepts a dependabot-core branch name to use a custom updater image +# built from that branch, enabling smoke test updates before merging core PRs. name: Regenerate Test on: # yamllint disable-line rule:truthy @@ -8,6 +10,10 @@ on: # yamllint disable-line rule:truthy description: 'Test name to regenerate (e.g. npm, bundler, go, etc.)' required: true type: string + core-branch: + description: 'dependabot-core branch to use (leave empty for latest release)' + required: false + type: string permissions: contents: write @@ -42,12 +48,78 @@ jobs: echo "$GITHUB_WORKSPACE" >> $GITHUB_PATH ./dependabot --version + - name: Resolve updater image + id: resolve_image + if: inputs.core-branch != '' + run: | + # Map test names to ecosystem image suffixes + declare -A ECOSYSTEM_MAP=( + ["actions"]="github-actions" + ["bundler"]="bundler" + ["cargo"]="cargo" + ["composer"]="composer" + ["devcontainers"]="devcontainers" + ["docker"]="docker" + ["dotnet-sdk"]="dotnet-sdk" + ["elm"]="elm" + ["go"]="gomod" + ["gradle"]="gradle" + ["hex"]="mix" + ["maven"]="maven" + ["npm"]="npm" + ["nuget"]="nuget" + ["pub"]="pub" + ["python"]="pip" + ["rust-toolchain"]="rust-toolchain" + ["submodules"]="gitsubmodule" + ["swift"]="swift" + ["terraform"]="terraform" + ["vcpkg"]="vcpkg" + ) + + # Extract base test name (e.g. npm-group-rules -> npm, dotnet-sdk-security -> dotnet-sdk) + TEST="${{ inputs.test }}" + ECOSYSTEM="" + for key in "${!ECOSYSTEM_MAP[@]}"; do + if [[ "$TEST" == "$key" || "$TEST" == "$key"-* ]]; then + # Pick the longest matching key + if [ ${#key} -gt ${#ECOSYSTEM} ]; then + ECOSYSTEM="${ECOSYSTEM_MAP[$key]}" + MATCH="$key" + fi + fi + done + + if [ -z "$ECOSYSTEM" ]; then + echo "Error: Could not determine ecosystem for test '$TEST'" + echo "Supported base test names: ${!ECOSYSTEM_MAP[*]}" + exit 1 + fi + echo "Matched test '$TEST' to ecosystem '$ECOSYSTEM' (via key '$MATCH')" + + # Get the latest commit SHA from the dependabot-core branch + BRANCH="${{ inputs.core-branch }}" + SHA=$(gh api repos/dependabot/dependabot-core/commits/"$BRANCH" --jq .sha) + if [ -z "$SHA" ]; then + echo "Error: Could not resolve branch '$BRANCH' in dependabot/dependabot-core" + exit 1 + fi + echo "Resolved branch '$BRANCH' to SHA: $SHA" + + IMAGE="ghcr.io/dependabot/dependabot-updater-${ECOSYSTEM}:${SHA}" + echo "image=$IMAGE" >> "$GITHUB_OUTPUT" + echo "Using updater image: $IMAGE" + - name: Regenerate test env: LOCAL_GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | TEST_FILE="tests/smoke-${{ inputs.test }}.yaml" - script/regen.sh "$TEST_FILE" || true + EXTRA_ARGS="" + if [ -n "${{ steps.resolve_image.outputs.image }}" ]; then + EXTRA_ARGS="--updater-image=${{ steps.resolve_image.outputs.image }}" + fi + dependabot test -f "$TEST_FILE" -o "$TEST_FILE" $EXTRA_ARGS || true - name: Check for changes id: check_changes @@ -77,12 +149,18 @@ jobs: git commit -m "Regenerate ${{ inputs.test }} test" git push origin "$BRANCH_NAME" + CORE_BRANCH_NOTE="" + if [ -n "${{ inputs.core-branch }}" ]; then + CORE_BRANCH_NOTE=$'\n**dependabot-core branch:** `${{ inputs.core-branch }}`' + CORE_BRANCH_NOTE+=$'\n**Updater image:** `${{ steps.resolve_image.outputs.image }}`\n' + fi + PR_BODY=$(cat < Date: Fri, 6 Mar 2026 17:42:19 -0600 Subject: [PATCH 2/7] Support fork branches in core-branch input Accept fork branches in 'owner:branch' format (e.g. edgarrmondragon:uv-0.10.9) by resolving the SHA from the fork repo instead of dependabot/dependabot-core. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/regenerate-test.yml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/regenerate-test.yml b/.github/workflows/regenerate-test.yml index 40a63239..dc52b255 100644 --- a/.github/workflows/regenerate-test.yml +++ b/.github/workflows/regenerate-test.yml @@ -1,6 +1,7 @@ # Regenerates a single test file and creates a PR for review. # Optionally accepts a dependabot-core branch name to use a custom updater image # built from that branch, enabling smoke test updates before merging core PRs. +# For fork branches, use the format "owner:branch" (e.g. edgarrmondragon:uv-0.10.9). name: Regenerate Test on: # yamllint disable-line rule:truthy @@ -11,7 +12,7 @@ on: # yamllint disable-line rule:truthy required: true type: string core-branch: - description: 'dependabot-core branch to use (leave empty for latest release)' + description: 'dependabot-core branch (e.g. my-branch or user:branch for forks)' required: false type: string @@ -97,14 +98,23 @@ jobs: fi echo "Matched test '$TEST' to ecosystem '$ECOSYSTEM' (via key '$MATCH')" - # Get the latest commit SHA from the dependabot-core branch + # Resolve branch to commit SHA + # Supports fork branches in "owner:branch" format (e.g. edgarrmondragon:uv-0.10.9) BRANCH="${{ inputs.core-branch }}" - SHA=$(gh api repos/dependabot/dependabot-core/commits/"$BRANCH" --jq .sha) + if [[ "$BRANCH" == *:* ]]; then + FORK_OWNER="${BRANCH%%:*}" + FORK_BRANCH="${BRANCH#*:}" + echo "Resolving fork branch '$FORK_BRANCH' from '$FORK_OWNER/dependabot-core'" + SHA=$(gh api "repos/$FORK_OWNER/dependabot-core/commits/$FORK_BRANCH" --jq .sha) + else + echo "Resolving branch '$BRANCH' from 'dependabot/dependabot-core'" + SHA=$(gh api "repos/dependabot/dependabot-core/commits/$BRANCH" --jq .sha) + fi if [ -z "$SHA" ]; then - echo "Error: Could not resolve branch '$BRANCH' in dependabot/dependabot-core" + echo "Error: Could not resolve branch '$BRANCH'" exit 1 fi - echo "Resolved branch '$BRANCH' to SHA: $SHA" + echo "Resolved to SHA: $SHA" IMAGE="ghcr.io/dependabot/dependabot-updater-${ECOSYSTEM}:${SHA}" echo "image=$IMAGE" >> "$GITHUB_OUTPUT" From 50c52f97b43f19f434c7672e6a41045ef1686b3e Mon Sep 17 00:00:00 2001 From: Kamil Bukum Date: Fri, 6 Mar 2026 17:46:53 -0600 Subject: [PATCH 3/7] Download proxy cache and pass --cache to CLI Without the cache, the updater cannot reach package registries and produces empty output, wiping the test's output section. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/regenerate-test.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/regenerate-test.yml b/.github/workflows/regenerate-test.yml index dc52b255..c94e18d5 100644 --- a/.github/workflows/regenerate-test.yml +++ b/.github/workflows/regenerate-test.yml @@ -41,6 +41,10 @@ jobs: fi echo "Test file $TEST_FILE exists" + - name: Download cache + run: | + script/download-cache.sh "${{ inputs.test }}" || echo "No cache found, proceeding without cache" + - name: Download CLI run: | gh release download --repo dependabot/cli -p "*linux-amd64.tar.gz" @@ -129,7 +133,7 @@ jobs: if [ -n "${{ steps.resolve_image.outputs.image }}" ]; then EXTRA_ARGS="--updater-image=${{ steps.resolve_image.outputs.image }}" fi - dependabot test -f "$TEST_FILE" -o "$TEST_FILE" $EXTRA_ARGS || true + dependabot test -f "$TEST_FILE" -o "$TEST_FILE" --cache cache $EXTRA_ARGS || true - name: Check for changes id: check_changes From 6090be3d489c1ade3f858a53ac4e8457dc8ca60d Mon Sep 17 00:00:00 2001 From: Kamil Bukum Date: Mon, 9 Mar 2026 08:50:24 -0500 Subject: [PATCH 4/7] Support both core-branch and core-pr-number inputs - core-branch: for internal dependabot-core branches (resolves branch head SHA) - core-pr-number: for contributor/fork PRs (resolves PR head SHA via the pulls API, matching how images-branch.yml tags images) Also adds proxy cache download and --cache flag to produce correct output during regeneration. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/regenerate-test.yml | 56 ++++++++++++++++----------- 1 file changed, 33 insertions(+), 23 deletions(-) diff --git a/.github/workflows/regenerate-test.yml b/.github/workflows/regenerate-test.yml index c94e18d5..e54d62a0 100644 --- a/.github/workflows/regenerate-test.yml +++ b/.github/workflows/regenerate-test.yml @@ -1,7 +1,7 @@ # Regenerates a single test file and creates a PR for review. -# Optionally accepts a dependabot-core branch name to use a custom updater image -# built from that branch, enabling smoke test updates before merging core PRs. -# For fork branches, use the format "owner:branch" (e.g. edgarrmondragon:uv-0.10.9). +# Optionally specify a dependabot-core branch or PR number to use a custom updater +# image, enabling smoke test updates before merging core PRs. +# Use core-branch for internal branches, core-pr-number for contributor/fork PRs. name: Regenerate Test on: # yamllint disable-line rule:truthy @@ -12,9 +12,13 @@ on: # yamllint disable-line rule:truthy required: true type: string core-branch: - description: 'dependabot-core branch (e.g. my-branch or user:branch for forks)' + description: 'dependabot-core branch name (for internal branches)' required: false type: string + core-pr-number: + description: 'dependabot-core PR number (for contributor/fork PRs)' + required: false + type: number permissions: contents: write @@ -55,7 +59,7 @@ jobs: - name: Resolve updater image id: resolve_image - if: inputs.core-branch != '' + if: inputs.core-branch != '' || inputs.core-pr-number != '' run: | # Map test names to ecosystem image suffixes declare -A ECOSYSTEM_MAP=( @@ -87,7 +91,6 @@ jobs: ECOSYSTEM="" for key in "${!ECOSYSTEM_MAP[@]}"; do if [[ "$TEST" == "$key" || "$TEST" == "$key"-* ]]; then - # Pick the longest matching key if [ ${#key} -gt ${#ECOSYSTEM} ]; then ECOSYSTEM="${ECOSYSTEM_MAP[$key]}" MATCH="$key" @@ -102,21 +105,25 @@ jobs: fi echo "Matched test '$TEST' to ecosystem '$ECOSYSTEM' (via key '$MATCH')" - # Resolve branch to commit SHA - # Supports fork branches in "owner:branch" format (e.g. edgarrmondragon:uv-0.10.9) - BRANCH="${{ inputs.core-branch }}" - if [[ "$BRANCH" == *:* ]]; then - FORK_OWNER="${BRANCH%%:*}" - FORK_BRANCH="${BRANCH#*:}" - echo "Resolving fork branch '$FORK_BRANCH' from '$FORK_OWNER/dependabot-core'" - SHA=$(gh api "repos/$FORK_OWNER/dependabot-core/commits/$FORK_BRANCH" --jq .sha) - else + # Resolve the commit SHA from either branch name or PR number + if [ -n "${{ inputs.core-branch }}" ]; then + BRANCH="${{ inputs.core-branch }}" echo "Resolving branch '$BRANCH' from 'dependabot/dependabot-core'" SHA=$(gh api "repos/dependabot/dependabot-core/commits/$BRANCH" --jq .sha) - fi - if [ -z "$SHA" ]; then - echo "Error: Could not resolve branch '$BRANCH'" - exit 1 + if [ -z "$SHA" ]; then + echo "Error: Could not resolve branch '$BRANCH'" + exit 1 + fi + echo "source=branch:$BRANCH" >> "$GITHUB_OUTPUT" + elif [ -n "${{ inputs.core-pr-number }}" ]; then + PR_NUMBER="${{ inputs.core-pr-number }}" + echo "Resolving PR #$PR_NUMBER from 'dependabot/dependabot-core'" + SHA=$(gh api "repos/dependabot/dependabot-core/pulls/$PR_NUMBER" --jq .head.sha) + if [ -z "$SHA" ]; then + echo "Error: Could not resolve PR #$PR_NUMBER" + exit 1 + fi + echo "source=pr:#$PR_NUMBER" >> "$GITHUB_OUTPUT" fi echo "Resolved to SHA: $SHA" @@ -163,17 +170,20 @@ jobs: git commit -m "Regenerate ${{ inputs.test }} test" git push origin "$BRANCH_NAME" - CORE_BRANCH_NOTE="" + CORE_NOTE="" if [ -n "${{ inputs.core-branch }}" ]; then - CORE_BRANCH_NOTE=$'\n**dependabot-core branch:** `${{ inputs.core-branch }}`' - CORE_BRANCH_NOTE+=$'\n**Updater image:** `${{ steps.resolve_image.outputs.image }}`\n' + CORE_NOTE=$'\n**dependabot-core branch:** `${{ inputs.core-branch }}`' + CORE_NOTE+=$'\n**Updater image:** `${{ steps.resolve_image.outputs.image }}`\n' + elif [ -n "${{ inputs.core-pr-number }}" ]; then + CORE_NOTE=$'\n**dependabot-core PR:** https://github.com/dependabot/dependabot-core/pull/${{ inputs.core-pr-number }}' + CORE_NOTE+=$'\n**Updater image:** `${{ steps.resolve_image.outputs.image }}`\n' fi PR_BODY=$(cat < Date: Mon, 9 Mar 2026 11:20:49 -0500 Subject: [PATCH 5/7] Fix image resolution: use merge commit SHA from refs/pull/N/merge images-branch.yml tags images with github.sha which for pull_request events is the merge commit SHA, not the branch head SHA. This fixes the image resolution to use refs/pull/N/merge which matches the actual image tag. Also adds: - GHCR login for authenticated image pulls - Image existence validation before running the test - Output validation to prevent silently wiping test files - Write to temp file first, only copy if output section exists - 20m timeout matching the smoke workflow Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/regenerate-test.yml | 75 ++++++++++++++++++++------- 1 file changed, 57 insertions(+), 18 deletions(-) diff --git a/.github/workflows/regenerate-test.yml b/.github/workflows/regenerate-test.yml index e54d62a0..fb91d2df 100644 --- a/.github/workflows/regenerate-test.yml +++ b/.github/workflows/regenerate-test.yml @@ -22,6 +22,7 @@ on: # yamllint disable-line rule:truthy permissions: contents: write + packages: read pull-requests: write env: @@ -105,42 +106,80 @@ jobs: fi echo "Matched test '$TEST' to ecosystem '$ECOSYSTEM' (via key '$MATCH')" - # Resolve the commit SHA from either branch name or PR number - if [ -n "${{ inputs.core-branch }}" ]; then - BRANCH="${{ inputs.core-branch }}" - echo "Resolving branch '$BRANCH' from 'dependabot/dependabot-core'" - SHA=$(gh api "repos/dependabot/dependabot-core/commits/$BRANCH" --jq .sha) - if [ -z "$SHA" ]; then - echo "Error: Could not resolve branch '$BRANCH'" - exit 1 - fi - echo "source=branch:$BRANCH" >> "$GITHUB_OUTPUT" - elif [ -n "${{ inputs.core-pr-number }}" ]; then + # Resolve the PR number from either direct input or branch lookup + if [ -n "${{ inputs.core-pr-number }}" ]; then PR_NUMBER="${{ inputs.core-pr-number }}" - echo "Resolving PR #$PR_NUMBER from 'dependabot/dependabot-core'" - SHA=$(gh api "repos/dependabot/dependabot-core/pulls/$PR_NUMBER" --jq .head.sha) - if [ -z "$SHA" ]; then - echo "Error: Could not resolve PR #$PR_NUMBER" + echo "Using PR #$PR_NUMBER directly" + echo "source=pr:#$PR_NUMBER" >> "$GITHUB_OUTPUT" + elif [ -n "${{ inputs.core-branch }}" ]; then + BRANCH="${{ inputs.core-branch }}" + echo "Finding PR for branch '$BRANCH' in 'dependabot/dependabot-core'" + PR_NUMBER=$(gh pr list --repo dependabot/dependabot-core --head "$BRANCH" --state open --json number --jq '.[0].number') + if [ -z "$PR_NUMBER" ]; then + echo "Error: No open PR found for branch '$BRANCH'. Images are only built for branches with open PRs." exit 1 fi - echo "source=pr:#$PR_NUMBER" >> "$GITHUB_OUTPUT" + echo "Found PR #$PR_NUMBER for branch '$BRANCH'" + echo "source=branch:$BRANCH (PR #$PR_NUMBER)" >> "$GITHUB_OUTPUT" fi - echo "Resolved to SHA: $SHA" + + # Get the merge commit SHA — this is what images-branch.yml uses to tag images + # (github.sha for pull_request events = merge commit at refs/pull/N/merge) + echo "Resolving merge commit SHA for PR #$PR_NUMBER" + SHA=$(gh api "repos/dependabot/dependabot-core/git/ref/pull/$PR_NUMBER/merge" --jq .object.sha 2>/dev/null) + if [ -z "$SHA" ]; then + echo "Error: Could not resolve merge commit for PR #$PR_NUMBER. Is the PR mergeable?" + exit 1 + fi + echo "Resolved merge commit SHA: $SHA" IMAGE="ghcr.io/dependabot/dependabot-updater-${ECOSYSTEM}:${SHA}" echo "image=$IMAGE" >> "$GITHUB_OUTPUT" echo "Using updater image: $IMAGE" + - name: Login to GHCR + if: steps.resolve_image.outputs.image != '' + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Validate updater image exists + if: steps.resolve_image.outputs.image != '' + run: | + echo "Pulling image: ${{ steps.resolve_image.outputs.image }}" + if ! docker pull "${{ steps.resolve_image.outputs.image }}"; then + echo "Error: Image ${{ steps.resolve_image.outputs.image }} not found." + echo "" + echo "This can happen if:" + echo " - The PR hasn't been approved yet (images-branch.yml requires approval)" + echo " - The images-branch.yml workflow hasn't finished building" + echo " - The branch was rebased and images-branch.yml needs to run again" + exit 1 + fi + echo "Image pulled successfully" + - name: Regenerate test env: LOCAL_GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | TEST_FILE="tests/smoke-${{ inputs.test }}.yaml" + RESULT_FILE="result-${{ inputs.test }}.yaml" EXTRA_ARGS="" if [ -n "${{ steps.resolve_image.outputs.image }}" ]; then EXTRA_ARGS="--updater-image=${{ steps.resolve_image.outputs.image }}" fi - dependabot test -f "$TEST_FILE" -o "$TEST_FILE" --cache cache $EXTRA_ARGS || true + dependabot test -f "$TEST_FILE" -o "$RESULT_FILE" --cache cache --timeout 20m $EXTRA_ARGS 2>&1 | tee -a regen.log + + # Validate the result has an output section (not wiped) + if ! grep -q "^output:" "$RESULT_FILE"; then + echo "Error: Regenerated file has no output section. The updater may have failed." + echo "Last 50 lines of log:" + tail -50 regen.log + exit 1 + fi + cp "$RESULT_FILE" "$TEST_FILE" - name: Check for changes id: check_changes From bbcfefb420948c4d06ef765bab48685b8bb03067 Mon Sep 17 00:00:00 2001 From: Kamil Bukum Date: Mon, 9 Mar 2026 15:50:26 -0500 Subject: [PATCH 6/7] Build updater image locally instead of pulling from GHCR MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of resolving SHA tags and pulling pre-built images from GHCR (which requires PR approval via images-branch.yml), check out the dependabot-core branch/PR and build the updater image locally using script/build — the same approach used in dependabot-core's own smoke pipeline. This removes the approval requirement and SHA resolution complexity. Works with any branch or PR (including forks via core-pr-number). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/regenerate-test.yml | 144 +++++++++++++------------- 1 file changed, 71 insertions(+), 73 deletions(-) diff --git a/.github/workflows/regenerate-test.yml b/.github/workflows/regenerate-test.yml index fb91d2df..c4f2d05e 100644 --- a/.github/workflows/regenerate-test.yml +++ b/.github/workflows/regenerate-test.yml @@ -1,7 +1,6 @@ # Regenerates a single test file and creates a PR for review. -# Optionally specify a dependabot-core branch or PR number to use a custom updater -# image, enabling smoke test updates before merging core PRs. -# Use core-branch for internal branches, core-pr-number for contributor/fork PRs. +# Optionally specify a dependabot-core branch or PR number to build a custom updater +# image locally, enabling smoke test updates before merging core PRs. name: Regenerate Test on: # yamllint disable-line rule:truthy @@ -16,13 +15,12 @@ on: # yamllint disable-line rule:truthy required: false type: string core-pr-number: - description: 'dependabot-core PR number (for contributor/fork PRs)' + description: 'dependabot-core PR number (for any PR including forks)' required: false type: number permissions: contents: write - packages: read pull-requests: write env: @@ -58,11 +56,33 @@ jobs: echo "$GITHUB_WORKSPACE" >> $GITHUB_PATH ./dependabot --version - - name: Resolve updater image - id: resolve_image - if: inputs.core-branch != '' || inputs.core-pr-number != '' + - name: Resolve ecosystem names + id: ecosystem run: | - # Map test names to ecosystem image suffixes + # Map test names to core directory names (for script/build) and ecosystem image suffixes + declare -A CORE_MAP=( + ["actions"]="github_actions" + ["bundler"]="bundler" + ["cargo"]="cargo" + ["composer"]="composer" + ["devcontainers"]="devcontainers" + ["docker"]="docker" + ["dotnet-sdk"]="dotnet_sdk" + ["elm"]="elm" + ["go"]="go_modules" + ["gradle"]="gradle" + ["hex"]="hex" + ["maven"]="maven" + ["npm"]="npm_and_yarn" + ["nuget"]="nuget" + ["pub"]="pub" + ["python"]="python" + ["rust-toolchain"]="rust_toolchain" + ["submodules"]="git_submodules" + ["swift"]="swift" + ["terraform"]="terraform" + ["vcpkg"]="vcpkg" + ) declare -A ECOSYSTEM_MAP=( ["actions"]="github-actions" ["bundler"]="bundler" @@ -89,76 +109,56 @@ jobs: # Extract base test name (e.g. npm-group-rules -> npm, dotnet-sdk-security -> dotnet-sdk) TEST="${{ inputs.test }}" - ECOSYSTEM="" - for key in "${!ECOSYSTEM_MAP[@]}"; do + MATCHED_KEY="" + for key in "${!CORE_MAP[@]}"; do if [[ "$TEST" == "$key" || "$TEST" == "$key"-* ]]; then - if [ ${#key} -gt ${#ECOSYSTEM} ]; then - ECOSYSTEM="${ECOSYSTEM_MAP[$key]}" - MATCH="$key" + if [ ${#key} -gt ${#MATCHED_KEY} ]; then + MATCHED_KEY="$key" fi fi done - if [ -z "$ECOSYSTEM" ]; then + if [ -z "$MATCHED_KEY" ]; then echo "Error: Could not determine ecosystem for test '$TEST'" - echo "Supported base test names: ${!ECOSYSTEM_MAP[*]}" - exit 1 - fi - echo "Matched test '$TEST' to ecosystem '$ECOSYSTEM' (via key '$MATCH')" - - # Resolve the PR number from either direct input or branch lookup - if [ -n "${{ inputs.core-pr-number }}" ]; then - PR_NUMBER="${{ inputs.core-pr-number }}" - echo "Using PR #$PR_NUMBER directly" - echo "source=pr:#$PR_NUMBER" >> "$GITHUB_OUTPUT" - elif [ -n "${{ inputs.core-branch }}" ]; then - BRANCH="${{ inputs.core-branch }}" - echo "Finding PR for branch '$BRANCH' in 'dependabot/dependabot-core'" - PR_NUMBER=$(gh pr list --repo dependabot/dependabot-core --head "$BRANCH" --state open --json number --jq '.[0].number') - if [ -z "$PR_NUMBER" ]; then - echo "Error: No open PR found for branch '$BRANCH'. Images are only built for branches with open PRs." - exit 1 - fi - echo "Found PR #$PR_NUMBER for branch '$BRANCH'" - echo "source=branch:$BRANCH (PR #$PR_NUMBER)" >> "$GITHUB_OUTPUT" - fi - - # Get the merge commit SHA — this is what images-branch.yml uses to tag images - # (github.sha for pull_request events = merge commit at refs/pull/N/merge) - echo "Resolving merge commit SHA for PR #$PR_NUMBER" - SHA=$(gh api "repos/dependabot/dependabot-core/git/ref/pull/$PR_NUMBER/merge" --jq .object.sha 2>/dev/null) - if [ -z "$SHA" ]; then - echo "Error: Could not resolve merge commit for PR #$PR_NUMBER. Is the PR mergeable?" + echo "Supported base test names: ${!CORE_MAP[*]}" exit 1 fi - echo "Resolved merge commit SHA: $SHA" - IMAGE="ghcr.io/dependabot/dependabot-updater-${ECOSYSTEM}:${SHA}" - echo "image=$IMAGE" >> "$GITHUB_OUTPUT" - echo "Using updater image: $IMAGE" + CORE="${CORE_MAP[$MATCHED_KEY]}" + ECOSYSTEM="${ECOSYSTEM_MAP[$MATCHED_KEY]}" + echo "Matched test '$TEST' -> core='$CORE', ecosystem='$ECOSYSTEM'" + echo "core=$CORE" >> "$GITHUB_OUTPUT" + echo "ecosystem=$ECOSYSTEM" >> "$GITHUB_OUTPUT" - - name: Login to GHCR - if: steps.resolve_image.outputs.image != '' - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + - name: Checkout dependabot-core + if: inputs.core-branch != '' || inputs.core-pr-number != '' + uses: actions/checkout@v6 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + repository: dependabot/dependabot-core + path: dependabot-core + submodules: recursive - - name: Validate updater image exists - if: steps.resolve_image.outputs.image != '' + - name: Checkout core branch or PR + if: inputs.core-branch != '' || inputs.core-pr-number != '' + working-directory: dependabot-core run: | - echo "Pulling image: ${{ steps.resolve_image.outputs.image }}" - if ! docker pull "${{ steps.resolve_image.outputs.image }}"; then - echo "Error: Image ${{ steps.resolve_image.outputs.image }} not found." - echo "" - echo "This can happen if:" - echo " - The PR hasn't been approved yet (images-branch.yml requires approval)" - echo " - The images-branch.yml workflow hasn't finished building" - echo " - The branch was rebased and images-branch.yml needs to run again" - exit 1 + if [ -n "${{ inputs.core-pr-number }}" ]; then + echo "Checking out PR #${{ inputs.core-pr-number }}" + gh pr checkout ${{ inputs.core-pr-number }} --repo dependabot/dependabot-core + elif [ -n "${{ inputs.core-branch }}" ]; then + echo "Checking out branch '${{ inputs.core-branch }}'" + git fetch origin "${{ inputs.core-branch }}" + git checkout "${{ inputs.core-branch }}" fi - echo "Image pulled successfully" + echo "Checked out commit: $(git rev-parse HEAD)" + + - name: Build updater image + if: inputs.core-branch != '' || inputs.core-pr-number != '' + working-directory: dependabot-core + run: | + echo "Building updater image for ${{ steps.ecosystem.outputs.core }}..." + script/build ${{ steps.ecosystem.outputs.core }} + echo "Image built: ghcr.io/dependabot/dependabot-updater-${{ steps.ecosystem.outputs.ecosystem }}:latest" - name: Regenerate test env: @@ -167,8 +167,8 @@ jobs: TEST_FILE="tests/smoke-${{ inputs.test }}.yaml" RESULT_FILE="result-${{ inputs.test }}.yaml" EXTRA_ARGS="" - if [ -n "${{ steps.resolve_image.outputs.image }}" ]; then - EXTRA_ARGS="--updater-image=${{ steps.resolve_image.outputs.image }}" + if [ -n "${{ inputs.core-branch }}" ] || [ -n "${{ inputs.core-pr-number }}" ]; then + EXTRA_ARGS="--updater-image=ghcr.io/dependabot/dependabot-updater-${{ steps.ecosystem.outputs.ecosystem }}:latest" fi dependabot test -f "$TEST_FILE" -o "$RESULT_FILE" --cache cache --timeout 20m $EXTRA_ARGS 2>&1 | tee -a regen.log @@ -186,9 +186,9 @@ jobs: run: | TEST_FILE="tests/smoke-${{ inputs.test }}.yaml" if git diff --quiet "$TEST_FILE"; then - echo "Error: No changes were made to $TEST_FILE" + echo "No changes were made to $TEST_FILE" echo "The test regeneration produced identical results" - exit 1 + exit 0 fi echo "Changes detected in $TEST_FILE" echo "has_changes=true" >> $GITHUB_OUTPUT @@ -211,11 +211,9 @@ jobs: CORE_NOTE="" if [ -n "${{ inputs.core-branch }}" ]; then - CORE_NOTE=$'\n**dependabot-core branch:** `${{ inputs.core-branch }}`' - CORE_NOTE+=$'\n**Updater image:** `${{ steps.resolve_image.outputs.image }}`\n' + CORE_NOTE=$'\n**dependabot-core branch:** `${{ inputs.core-branch }}`\n' elif [ -n "${{ inputs.core-pr-number }}" ]; then - CORE_NOTE=$'\n**dependabot-core PR:** https://github.com/dependabot/dependabot-core/pull/${{ inputs.core-pr-number }}' - CORE_NOTE+=$'\n**Updater image:** `${{ steps.resolve_image.outputs.image }}`\n' + CORE_NOTE=$'\n**dependabot-core PR:** https://github.com/dependabot/dependabot-core/pull/${{ inputs.core-pr-number }}\n' fi PR_BODY=$(cat < Date: Mon, 9 Mar 2026 21:13:02 +0000 Subject: [PATCH 7/7] Regenerate gradle test --- tests/smoke-gradle.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/smoke-gradle.yaml b/tests/smoke-gradle.yaml index 35c1db6d..8240b469 100644 --- a/tests/smoke-gradle.yaml +++ b/tests/smoke-gradle.yaml @@ -1,5 +1,6 @@ input: job: + command: update package-manager: gradle allowed-updates: - update-type: all