Bump github.com/antchfx/xmlquery from 1.4.2 to 1.4.3 #11
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: auto-merge dependabot updates | |
| on: | |
| pull_request_target: | |
| branches: [ main ] | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - ready_for_review | |
| permissions: | |
| pull-requests: write | |
| contents: write | |
| jobs: | |
| dependabot-merge: | |
| runs-on: ubuntu-latest | |
| if: ${{ github.actor == 'dependabot[bot]' }} | |
| steps: | |
| - name: Dependabot metadata | |
| id: metadata | |
| uses: dependabot/[email protected] | |
| with: | |
| github-token: "${{ secrets.DEPENDABOT_PAT }}" # Using PAT for enhanced features, alert-lookup, and compat-lookup | |
| alert-lookup: true # Enable security alert information | |
| compat-lookup: true # Enable compatibility score checking | |
| - name: Check security and compatibility | |
| id: security_check | |
| run: | | |
| DEPS_JSON='${{ steps.metadata.outputs.updated-dependencies-json }}' | |
| # Perform checks | |
| if [ "${{ steps.metadata.outputs.alert-state }}" = "OPEN" ]; then | |
| echo "⚠️ Security alert detected (GHSA: ${{ steps.metadata.outputs.ghsa-id }})" | |
| echo "CVSS Score: ${{ steps.metadata.outputs.cvss }}" | |
| echo "is_security_update=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "is_security_update=false" >> $GITHUB_OUTPUT | |
| fi | |
| if [ "${{ steps.metadata.outputs.compatibility-score }}" -lt 75 ]; then | |
| echo "⚠️ Low compatibility score: ${{ steps.metadata.outputs.compatibility-score }}" | |
| echo "is_compatible=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "is_compatible=true" >> $GITHUB_OUTPUT | |
| fi | |
| if [ "${{ steps.metadata.outputs.maintainer-changes }}" = "true" ]; then | |
| echo "⚠️ Maintainer changes detected" | |
| echo "has_maintainer_changes=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_maintainer_changes=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }} | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }} | |
| with: | |
| go-version: 'stable' | |
| - name: Process Go dependencies | |
| if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }} | |
| run: | | |
| log_update_details() { | |
| local pr_number=$1 | |
| echo "::group::Dependency Update Details for PR #$pr_number" | |
| echo "🔄 Dependencies: ${{ steps.metadata.outputs.dependency-names }}" | |
| echo "📦 Type: ${{ steps.metadata.outputs.dependency-type }}" | |
| echo "📈 Version: ${{ steps.metadata.outputs.previous-version }} → ${{ steps.metadata.outputs.new-version }}" | |
| echo "📂 Directory: ${{ steps.metadata.outputs.directory }}" | |
| [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ] && \ | |
| echo "🚨 Security update (CVSS: ${{ steps.metadata.outputs.cvss }})" | |
| echo "::endgroup::" | |
| } | |
| echo "🔍 Fetching all Go-related Dependabot PRs..." | |
| GO_PRS=$(gh pr list \ | |
| --author "dependabot[bot]" \ | |
| --json number,title,createdAt,headRefName \ | |
| --state open \ | |
| --jq 'sort_by(.createdAt) | .[] | select(.title | contains("go.mod"))') | |
| CURRENT_PR_PROCESSED=false | |
| echo "$GO_PRS" | while read -r pr; do | |
| PR_NUMBER=$(echo "$pr" | jq -r .number) | |
| HEAD_BRANCH=$(echo "$pr" | jq -r .headRefName) | |
| log_update_details $PR_NUMBER | |
| # Skip indirect dependencies unless they're security updates | |
| if [ "${{ steps.metadata.outputs.dependency-type }}" = "indirect" ] && \ | |
| [ "${{ steps.security_check.outputs.is_security_update }}" != "true" ]; then | |
| echo "⏭️ Skipping indirect dependency update" | |
| continue | |
| fi | |
| # Special handling for security updates | |
| if [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ]; then | |
| echo "🚨 Processing security update with priority" | |
| PRIORITY_MERGE=true | |
| fi | |
| git fetch origin $HEAD_BRANCH | |
| git checkout $HEAD_BRANCH | |
| git pull origin $HEAD_BRANCH | |
| echo "🛠️ Running go mod tidy for PR #$PR_NUMBER" | |
| go mod tidy | |
| if git diff --quiet; then | |
| echo "✨ No changes required for PR #$PR_NUMBER" | |
| else | |
| echo "💾 Committing changes for PR #$PR_NUMBER" | |
| git config --global user.name "GitHub Actions" | |
| git config --global user.email "[email protected]" | |
| git commit -am "chore: go mod tidy for PR #$PR_NUMBER" | |
| git push origin $HEAD_BRANCH | |
| fi | |
| # Auto-merge decision logic | |
| if [ "$PR_NUMBER" = "$CURRENT_PR_NUMBER" ]; then | |
| CURRENT_PR_PROCESSED=true | |
| if { [ "$UPDATE_TYPE" != "version-update:semver-major" ] || \ | |
| [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ]; } && \ | |
| [ "${{ steps.security_check.outputs.is_compatible }}" = "true" ] && \ | |
| [ "${{ steps.security_check.outputs.has_maintainer_changes }}" = "false" ]; then | |
| echo "🤖 Enabling auto-merge for current PR #$PR_NUMBER" | |
| gh pr merge --auto --merge "$PR_URL" | |
| fi | |
| elif [ "$CURRENT_PR_PROCESSED" = false ]; then | |
| echo "🔄 Processing older PR #$PR_NUMBER first" | |
| gh pr merge --auto --merge "$PR_NUMBER" | |
| fi | |
| done | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.DEPENDABOT_PAT }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| CURRENT_PR_NUMBER: ${{ github.event.pull_request.number }} | |
| UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} | |
| # Handle other dependencies with security awareness | |
| - name: Enable auto-merge for pipeline dependencies | |
| if: | | |
| steps.security_check.outputs.is_compatible == 'true' && | |
| steps.security_check.outputs.has_maintainer_changes == 'false' && | |
| (steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.security_check.outputs.is_security_update == 'true') && | |
| contains(steps.metadata.outputs.directory, '.github/workflows') | |
| run: gh pr merge --auto --merge "$PR_URL" | |
| env: | |
| PR_URL: ${{github.event.pull_request.html_url}} | |
| GITHUB_TOKEN: ${{secrets.DEPENDABOT_PAT}} | |
| - name: Enable auto-merge for other dependencies | |
| if: | | |
| steps.security_check.outputs.is_compatible == 'true' && | |
| steps.security_check.outputs.has_maintainer_changes == 'false' && | |
| (steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.security_check.outputs.is_security_update == 'true') && | |
| steps.metadata.outputs.package-ecosystem != 'gomod' && | |
| !contains(steps.metadata.outputs.directory, '.github/workflows') | |
| run: gh pr merge --auto --merge "$PR_URL" | |
| env: | |
| PR_URL: ${{github.event.pull_request.html_url}} | |
| GITHUB_TOKEN: ${{secrets.DEPENDABOT_PAT}} |