feat: add process-dependabot-reusable workflow (Bash-based alternative)
#419
Conversation
…ive) This PR introduces a **reusable GitHub Actions workflow**, `process-dependabot-reusable`, designed to streamline the handling of Dependabot pull requests across repositories — implemented entirely with **shell scripts**. This serves as a Bash-based alternative to #418, which uses TypeScript. ### 🔄 Key Differences from #418 * **Trigger**: Runs on `pull_request_target` (not `push`), which is required by the `dependabot/fetch-metadata` action. * **Implementation**: Written using **standard POSIX tools** with a few dependencies: * **`bash`** – some Bash-specific constructs are used * **`jq`** – for processing JSON output from `dependabot/fetch-metadata` * **`xmlstarlet`** – for parsing `pom.xml` and generating a changelog XML file * **`git`** – to commit and push any changes * **`gh`** – to enable "auto-merge" on the pull request This approach avoids the Node.js/TypeScript toolchain and relies only on standard CLI tools commonly available in CI environments.
The `apt` command is not recommended for scripting.
|
After running some tests, I identified the following limitations with this workflow stemming from the use of
|
This change splits the Dependabot automation into two reusable workflows: * **Unprivileged workflow** (`analyze-dependabot-reusable`): Runs on `pull_request` with no permissions. It analyzes Dependabot PRs and generates metadata safely. * **Privileged workflow** (`process-dependabot-reusable`): Uses the metadata from the unprivileged step to generate changelog files and enable the "auto-merge" option. Requires access to our GPG key and Personal Access Token.
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new Bash-based reusable GitHub Actions workflow for processing Dependabot pull requests and a complementary workflow for analyzing them.
- Introduces the process-dependabot-reusable workflow that generates changelog entries and enables auto-merge.
- Splits the workflow into two parts (analyze and process) and updates related documentation and examples.
- Adds an XML changelog entry and updates workflow examples to reflect the new structure.
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/site/antora/modules/ROOT/pages/workflows.adoc | Updates documentation to include examples and explanations for the new workflows. |
| src/site/antora/modules/ROOT/examples/process-dependabot.yaml | Provides an example usage of the new process workflow. |
| src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml | Provides an example usage of the new analyze workflow. |
| src/changelog/.12.x.x/add-deploy-profile.xml | Adds a changelog entry documenting the addition of the new workflow. |
| .github/workflows/process-dependabot-reusable.yaml | Implements the workflow that generates changelog entries and enables auto-merge for Dependabot PRs. |
| .github/workflows/analyze-dependabot-reusable.yaml | Implements the workflow to analyze Dependabot PRs and prepare metadata for processing. |
Comments suppressed due to low confidence (2)
.github/workflows/process-dependabot-reusable.yaml:168
- Consider using the PR_URL extracted earlier from the fetched metadata (set in GITHUB_ENV) instead of relying on github.event.pull_request.html_url to ensure consistency across the workflow.
PR_URL: ${{ github.event.pull_request.html_url }}
.github/workflows/process-dependabot-reusable.yaml:104
- [nitpick] The indentation of the 'exit 1' statement (line 106) is inconsistent with the block structure; aligning it with the preceding echo statement will improve readability.
if [[ ! $revision =~ ^[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT)?$ ]]; then
| echo "$PULL_REQUEST" > dependabot-metadata/pull_request.json | ||
| echo "$UPDATED_DEPENDENCIES" > dependabot-metadata/updated_dependencies.json |
There was a problem hiding this comment.
This is the meat of this entire reusable workflow, 2 LoC, the rest is just ceremony. I think this should consider integrating this into process-d-r, and removing analyze-d-r.
IIRC, you introduce this split for analyze-d-r needs less privileges compared to process-d-r. But the former is useless without the latter, hence, the split just inflates 2 LoC to 55 LoC, not to mention the inflation at call sites invoking these reusables.
| - name: Create changelog entries | ||
| shell: bash | ||
| run: | |
There was a problem hiding this comment.
I'd really appreciate it if you can ventilate this big chunk of code with some empty lines delimiting the blocks by their semantics.
| # tag::process-dependabot[] | ||
| process-dependabot: | ||
| # Skip this workflow on commits not pushed by Dependabot | ||
| if: ${{ github.event.workflow_run.conclusion == 'success' && github.actor == 'dependabot[bot]' }} |
There was a problem hiding this comment.
Again, I'd keep the repository name validation.
…etadata` This PR allows the usage of the `ppkarwasz/fetch-metadata` GitHub Action as an alternative to `dependabot/fetch-metadata` in ASF repositories. The `ppkarwasz/fetch-metadata` action is a personal improvement of the original `dependabot/fetch-metadata`, adding support for grouped Dependabot pull requests, a feature that is currently missing from the upstream action. The implementation has already been reviewed and approved by the Dependabot team (see dependabot/fetch-metadata#632), but the upstream project has been inactive for several months, likely due to reduced maintenance capacity at GitHub. This has prevented the improvement from being merged and released. ### Why this change is needed In Apache Logging Services, every pull request must include a changelog entry. Previously, under CTR, we used a workflow that automatically added the changelog entry and merged the PR. Since switching to RTC, this automation can no longer complete the merge step, resulting in repositories accumulating unmerged Dependabot PRs that must be: * manually reviewed, * updated with an empty commit to re-trigger required status checks, * and merged by hand. We already have an improved workflow in place (see apache/logging-parent#419) that provides: * **Security enhancements** through separation of privileged and unprivileged workflows (`ppkarwasz/fetch-metadata` is used only in the unprivileged workflow), * **Automatic merge using `auto-merge` instead of manual merging**, and * **Support for grouped Dependabot PRs** (reducing noise to ~1 PR per repository per month). The final item, grouped PR support, requires the `ppkarwasz/fetch-metadata` action.
Co-authored-by: Volkan Yazıcı <[email protected]>
2 participants
This PR introduces a reusable GitHub Actions workflow,
process-dependabot-reusable, designed to streamline the handling of Dependabot pull requests across repositories — implemented entirely with shell scripts.This serves as a Bash-based alternative to #418, which uses TypeScript.
🔄 Key Differences from #418
Trigger: Runs on
pull_request_target(notpush), which is required by thedependabot/fetch-metadataaction.Implementation: Written using standard POSIX tools with a few dependencies:
bash– some Bash-specific constructs are usedjq– for processing JSON output fromdependabot/fetch-metadataxmlstarlet– for parsingpom.xmland generating a changelog XML filegit– to commit and push any changesgh– to enable "auto-merge" on the pull requestThis approach avoids the Node.js/TypeScript toolchain and relies only on standard CLI tools commonly available in CI environments.
Updated version
The updated version of this PR splits the workflow into two parts:
Unprivileged workflow (
analyze-dependabot-reusable):Runs on
pull_requestwith no permissions. It analyzes Dependabot PRs and generates metadata safely.Privileged workflow (
process-dependabot-reusable):Uses the metadata from the unprivileged step to generate changelog files and enable the "auto-merge" option. Requires access to our GPG key and Personal Access Token.