Skip to content

Commit efaf634

Browse files
authored
Apply repo-config migration for v0.17.0 (#1398)
``` Updating generated CI workflows... Updated .github/workflows/ci-pr.yaml: updated CI pull-request workflow Updated .github/workflows/ci.yaml: updated main CI workflow ======================================================================== Fixing missed CI platform matrix migrations... Skipped .github/workflows/ci.yaml: platform matrix migration already fixed ======================================================================== Updating generated Dependabot workflows... Updated .github/workflows/auto-dependabot.yaml: updated Dependabot auto-merge workflow Updated .github/workflows/repo-config-migration.yaml: updated repo-config migration workflow ======================================================================== Creating black migration workflow... Created .github/workflows/black-migration.yaml: black formatting migration workflow ======================================================================== Updating auxiliary GitHub workflows... Updated .github/workflows/dco-merge-queue.yml: updated DCO merge queue workflow Updated .github/workflows/labeler.yml: updated labeler workflow Updated .github/workflows/release-notes-check.yml: updated release notes check workflow ```
2 parents 66903e5 + 45147c7 commit efaf634

8 files changed

Lines changed: 181 additions & 40 deletions

File tree

.github/workflows/auto-dependabot.yaml

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,15 +12,18 @@ on:
1212
pull_request_target:
1313

1414
permissions:
15+
# Read repository contents and Dependabot metadata used by the nested action.
1516
contents: read
17+
# The nested action also uses `github.token` internally for PR operations.
1618
pull-requests: write
1719

1820
jobs:
1921
auto-merge:
2022
name: Auto-merge Dependabot PR
2123
if: >
2224
github.actor == 'dependabot[bot]' &&
23-
!contains(github.event.pull_request.title, 'the repo-config group')
25+
!contains(github.event.pull_request.title, 'the repo-config group') &&
26+
!contains(github.event.pull_request.title, 'Bump black from ')
2427
runs-on: ubuntu-slim
2528
steps:
2629
- name: Generate GitHub App token
@@ -29,6 +32,12 @@ jobs:
2932
with:
3033
app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }}
3134
private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }}
35+
# Merge Dependabot PRs.
36+
permission-contents: write
37+
# Create the auto-merged label if it does not exist.
38+
permission-issues: write
39+
# Approve PRs, add labels, and enable auto-merge.
40+
permission-pull-requests: write
3241

3342
- name: Auto-merge Dependabot PR
3443
uses: frequenz-floss/dependabot-auto-approve@e943399cc9d76fbb6d7faae446cd57301d110165 # v1.5.0
Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
# Automatic black formatting migration for Dependabot PRs
2+
#
3+
# When Dependabot upgrades black, this workflow installs the new version
4+
# and runs `black .` so the PR already contains any formatting changes
5+
# introduced by the upgrade, while leaving the PR open for review.
6+
#
7+
# Black uses calendar versioning. Only the first release of a new calendar
8+
# year may introduce formatting changes (major bump in Dependabot's terms).
9+
# Minor and patch updates within a year keep formatting stable, so they stay
10+
# in the regular Dependabot groups and are auto-merged normally.
11+
#
12+
# The companion auto-dependabot workflow skips major black PRs so they're
13+
# handled exclusively by this migration workflow.
14+
#
15+
# XXX: !!! SECURITY WARNING !!!
16+
# pull_request_target has write access to the repo, and can read secrets.
17+
# This is required because Dependabot PRs are treated as fork PRs: the
18+
# GITHUB_TOKEN is read-only and secrets are unavailable with a plain
19+
# pull_request trigger. The action mitigates the risk by:
20+
# - Never executing code from the PR (the migration script is embedded
21+
# in this workflow file on the base branch, not taken from the PR).
22+
# - Gating migration steps on github.actor == 'dependabot[bot]'.
23+
# - Running checkout with persist-credentials: false and isolating
24+
# push credentials from the migration script environment.
25+
# For more details read:
26+
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
27+
28+
name: Black Migration
29+
30+
on:
31+
merge_group: # To allow using this as a required check for merging
32+
pull_request_target:
33+
types: [opened, synchronize, reopened, labeled, unlabeled]
34+
35+
permissions:
36+
# Commit reformatted files back to the PR branch.
37+
contents: write
38+
# Create and normalize migration state labels.
39+
issues: write
40+
# Read/update pull request metadata and comments.
41+
pull-requests: write
42+
43+
jobs:
44+
black-migration:
45+
name: Migrate Black
46+
# Skip if it was triggered by the merge queue. We only need the workflow to
47+
# be executed to meet the "Required check" condition for merging, but we
48+
# don't need to actually run the job, having the job present as Skipped is
49+
# enough.
50+
if: |
51+
github.event_name == 'pull_request_target' &&
52+
github.actor == 'dependabot[bot]' &&
53+
contains(github.event.pull_request.title, 'Bump black from ')
54+
runs-on: ubuntu-24.04
55+
steps:
56+
- name: Generate token
57+
id: create-app-token
58+
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
59+
with:
60+
app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }}
61+
private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }}
62+
# Push reformatted files to the PR branch.
63+
permission-contents: write
64+
# Create and normalize migration state labels.
65+
permission-issues: write
66+
# Read/update pull request metadata and labels.
67+
permission-pull-requests: write
68+
- name: Migrate
69+
uses: frequenz-floss/gh-action-dependabot-migrate@b389f72f9282346920150a67495efbae450ac07b # v1.1.0
70+
with:
71+
migration-script: |
72+
import os
73+
import subprocess
74+
import sys
75+
76+
version = os.environ["MIGRATION_VERSION"].lstrip("v")
77+
subprocess.run(
78+
[sys.executable, "-Im", "pip", "install", f"black=={version}"],
79+
check=True,
80+
)
81+
subprocess.run([sys.executable, "-Im", "black", "."], check=True)
82+
token: ${{ steps.create-app-token.outputs.token }}
83+
auto-merge-on-changes: "false"
84+
sign-commits: "true"
85+
auto-merged-label: "tool:auto-merged"
86+
migrated-label: "tool:black:migration:executed"
87+
intervention-pending-label: "tool:black:migration:intervention-pending"
88+
intervention-done-label: "tool:black:migration:intervention-done"

.github/workflows/ci-pr.yaml

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,10 @@ name: Test PR
33
on:
44
pull_request:
55

6+
permissions:
7+
# Read repository contents for checkout and dependency resolution only.
8+
contents: read
9+
610
env:
711
# Please make sure this version is included in the `matrix`, as the
812
# `matrix` section can't use `env`, so it must be entered manually
@@ -17,7 +21,7 @@ jobs:
1721

1822
steps:
1923
- name: Run nox
20-
uses: frequenz-floss/gh-action-nox@v1.1.1
24+
uses: frequenz-floss/gh-action-nox@e1351cf45e05e85afc1c79ab883e06322892d34c # v1.1.0
2125
with:
2226
python-version: "3.11"
2327
nox-session: ci_checks_max
@@ -27,15 +31,15 @@ jobs:
2731
runs-on: ubuntu-24.04
2832
steps:
2933
- name: Setup Git
30-
uses: frequenz-floss/gh-action-setup-git@v1.0.0
34+
uses: frequenz-floss/gh-action-setup-git@16952aac3ccc01d27412fe0dea3ea946530dcace # v1.0.0
3135

3236
- name: Fetch sources
33-
uses: actions/checkout@v6
37+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3438
with:
3539
submodules: true
3640

3741
- name: Setup Python
38-
uses: frequenz-floss/gh-action-setup-python-with-deps@v1.0.4
42+
uses: frequenz-floss/gh-action-setup-python-with-deps@0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 # v1.0.2
3943
with:
4044
python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
4145
dependencies: .[dev-mkdocs]
@@ -44,11 +48,14 @@ jobs:
4448
env:
4549
MIKE_VERSION: gh-${{ github.job }}
4650
run: |
47-
mike deploy $MIKE_VERSION
48-
mike set-default $MIKE_VERSION
51+
# mike is installed as a console script, not a runnable module.
52+
# Run the installed script under isolated mode to avoid importing from
53+
# the workspace when building docs from checked-out code.
54+
python -I "$(command -v mike)" deploy "$MIKE_VERSION"
55+
python -I "$(command -v mike)" set-default "$MIKE_VERSION"
4956
5057
- name: Upload site
51-
uses: actions/upload-artifact@v7
58+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
5259
with:
5360
name: docs-site
5461
path: site/

0 commit comments

Comments
 (0)