Bump types-markdown from 3.10.2.20260508 to 3.10.2.20260518 #27
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Automatic isort migration for Dependabot PRs | |
| # | |
| # When Dependabot upgrades isort, this workflow installs the new version and | |
| # runs `isort .` so the PR already contains any import-ordering changes | |
| # introduced by the upgrade, while leaving the PR open for review. | |
| # | |
| # isort follows SemVer but its release policy | |
| # (https://github.com/PyCQA/isort/blob/main/docs/major_releases/release_policy.md) | |
| # explicitly allows intentional formatting changes in minor releases, and | |
| # patch releases may also adjust output in smaller bug-fix ways. Because of | |
| # that, isort is excluded from the regular `patch` and `minor` Dependabot | |
| # groups: every isort bump produces an individual `Bump isort from …` PR and | |
| # is routed through this migration workflow. | |
| # | |
| # The companion auto-dependabot workflow skips those PRs so they're handled | |
| # exclusively by this migration workflow. | |
| # | |
| # XXX: !!! SECURITY WARNING !!! | |
| # pull_request_target has write access to the repo, and can read secrets. | |
| # This is required because Dependabot PRs are treated as fork PRs: the | |
| # GITHUB_TOKEN is read-only and secrets are unavailable with a plain | |
| # pull_request trigger. The action mitigates the risk by: | |
| # - Never executing code from the PR (the migration script is embedded | |
| # in this workflow file on the base branch, not taken from the PR). | |
| # - Gating migration steps on github.actor == 'dependabot[bot]'. | |
| # - Running checkout with persist-credentials: false and isolating | |
| # push credentials from the migration script environment. | |
| # For more details read: | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| name: isort Migration | |
| on: | |
| merge_group: # To allow using this as a required check for merging | |
| pull_request_target: | |
| types: [opened, synchronize, reopened, labeled, unlabeled] | |
| permissions: | |
| # Commit reformatted files back to the PR branch. | |
| contents: write | |
| # Create and normalize migration state labels. | |
| issues: write | |
| # Read/update pull request metadata and comments. | |
| pull-requests: write | |
| jobs: | |
| isort-migration: | |
| name: Migrate isort | |
| # Skip if it was triggered by the merge queue. We only need the workflow to | |
| # be executed to meet the "Required check" condition for merging, but we | |
| # don't need to actually run the job, having the job present as Skipped is | |
| # enough. | |
| if: | | |
| github.event_name == 'pull_request_target' && | |
| github.actor == 'dependabot[bot]' && | |
| contains(github.event.pull_request.title, 'Bump isort from ') | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Generate token | |
| id: create-app-token | |
| uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 | |
| with: | |
| app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} | |
| private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} | |
| # Push reformatted files to the PR branch. | |
| permission-contents: write | |
| # Create and normalize migration state labels. | |
| permission-issues: write | |
| # Read/update pull request metadata and labels. | |
| permission-pull-requests: write | |
| - name: Migrate | |
| uses: frequenz-floss/gh-action-dependabot-migrate@27763fb5eb56476d91abe00132e8a0614171f92f # v1.2.0 | |
| with: | |
| migration-script: | | |
| import os | |
| import subprocess | |
| import sys | |
| version = os.environ["MIGRATION_VERSION"].lstrip("v") | |
| subprocess.run( | |
| [sys.executable, "-Im", "pip", "install", f"isort=={version}"], | |
| check=True, | |
| ) | |
| subprocess.run([sys.executable, "-Im", "isort", "."], check=True) | |
| token: ${{ steps.create-app-token.outputs.token }} | |
| auto-merge-on-changes: "false" | |
| version-iteration: "false" | |
| sign-commits: "true" | |
| auto-merged-label: "tool:auto-merged" | |
| migrated-label: "tool:isort:migration:executed" | |
| intervention-pending-label: "tool:isort:migration:intervention-pending" | |
| intervention-done-label: "tool:isort:migration:intervention-done" |