From 82593b4c83361fc151f8d339c174e89034e32003 Mon Sep 17 00:00:00 2001 From: Tim Ross Date: Fri, 30 Dec 2022 09:44:08 -0500 Subject: [PATCH] Batch Dependabot PRs Leverages https://github.com/Legal-and-General/dependabot-batcher to create and/or maintain a merged PR (and branch) of all the Dependabot PRs and close them as they are merged in, leaving a single Dependabot PR behind. The Dependabot schedule is set for Sunday at 9:00am and the batcher workflow is configured to run Sunday at 9:00pm. All workflows that run on pull requests open have been configured to ignore branches prefixed with `dependabot/`. Since the dependabot PRs are all going to be closed and batched there is no need to waste CI minutes on them. Any new workflows will require the same check to prevent running on dependabot PRs. Also adds `cloud.google.com/go/iam` and `github.com/go-webauthn/webauthn` to the dependabot ignore list because they pull in newer versions of `cloud.google.com/go/firestore` and `golang.org/x/crypto` which we cannot use at this time. --- .github/dependabot.yml | 10 +++++++ .github/workflows/assign.yaml | 2 +- .github/workflows/build-macos.yaml | 1 + .github/workflows/build-windows.yaml | 1 + .github/workflows/check.yaml | 2 +- .github/workflows/cifuzz.yml | 1 + .github/workflows/codeql.yml | 1 + .github/workflows/dependabot-batcher.yaml | 27 +++++++++++++++++++ .github/workflows/dependency-review.yaml | 1 + .github/workflows/doc-tests.yaml | 1 + .../workflows/integration-tests-non-root.yaml | 1 + .github/workflows/integration-tests-root.yaml | 1 + .github/workflows/label.yaml | 2 +- .github/workflows/lint.yaml | 1 + .github/workflows/os-compatibility-test.yaml | 1 + .github/workflows/unit-tests-code.yaml | 1 + .github/workflows/unit-tests-operator.yaml | 1 + .github/workflows/unit-tests-rust.yaml | 1 + 18 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/dependabot-batcher.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1d2d7036120ab..4c1f82202a719 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,8 @@ updates: directory: "/" schedule: interval: weekly + day: "sunday" + time: "09:00" # 9am UTC ignore: # Deprecated APIs, requires manual changes. # TODO(xacrimon): Update Firestore and solve deprecations. @@ -29,6 +31,10 @@ updates: - dependency-name: github.com/vulcand/predicate # TODO(tross): Update after Firestore is updated - dependency-name: google.golang.org/genproto + # TODO(tross): Update after Firestore is updated + - dependency-name: cloud.google.com/go/iam + # TODO(tross): Update after /x/crypto is updated + - dependency-name: github.com/go-webauthn/webauthn open-pull-requests-limit: 10 reviewers: - codingllama @@ -39,6 +45,8 @@ updates: directory: "/api" schedule: interval: weekly + day: "sunday" + time: "09:00" # 9am UTC ignore: # TODO(codingllama): Allow /x/crypto updates after upstream patch. - dependency-name: golang.org/x/crypto @@ -54,6 +62,8 @@ updates: directory: "/" schedule: interval: weekly + day: "sunday" + time: "09:00" # 9am UTC open-pull-requests-limit: 10 reviewers: - codingllama diff --git a/.github/workflows/assign.yaml b/.github/workflows/assign.yaml index c3b5be8e993b1..e03927799bfe7 100644 --- a/.github/workflows/assign.yaml +++ b/.github/workflows/assign.yaml @@ -30,7 +30,7 @@ permissions: jobs: auto-request-review: name: Auto Request Review - if: ${{ !github.event.pull_request.draft }} + if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-latest steps: # Checkout main branch of shared-workflow repository. diff --git a/.github/workflows/build-macos.yaml b/.github/workflows/build-macos.yaml index 5d6de4fefe5d3..f2ba3bcf4e3f3 100644 --- a/.github/workflows/build-macos.yaml +++ b/.github/workflows/build-macos.yaml @@ -19,6 +19,7 @@ on: jobs: build: name: Build on Mac OS + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: macos-12 # TODO(r0mant): Update with large runner when it's available permissions: diff --git a/.github/workflows/build-windows.yaml b/.github/workflows/build-windows.yaml index bc09713a7d15a..be18f546905d7 100644 --- a/.github/workflows/build-windows.yaml +++ b/.github/workflows/build-windows.yaml @@ -18,6 +18,7 @@ on: jobs: build: name: Build on Windows + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: windows-2022-16core permissions: diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index dabd2720f75f2..2ece9dd01749c 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -32,7 +32,7 @@ permissions: jobs: check-reviews: name: Checking reviewers - if: ${{ !github.event.pull_request.draft }} + if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-latest steps: # Checkout main branch of shared-workflow repository. diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 1499bd7e188f7..9a673726b4b09 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -18,6 +18,7 @@ on: jobs: fuzzing: + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} name: Fuzzing runs-on: ubuntu-22.04-32core permissions: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5c3c58f2b9304..59d6b2a2e9b26 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -17,6 +17,7 @@ on: jobs: analyze: name: Analyze + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-22.04-32core permissions: actions: read diff --git a/.github/workflows/dependabot-batcher.yaml b/.github/workflows/dependabot-batcher.yaml new file mode 100644 index 0000000000000..2cf6d88b692c8 --- /dev/null +++ b/.github/workflows/dependabot-batcher.yaml @@ -0,0 +1,27 @@ +# This workflow combines all open Dependabot PRs into a single batched +# PR, links all the Dependabot PRs to the new one, and closes all the +# Dependabot PRs. The schedule is set to exactly 12 hours after the +# Dependabot schedule. +# +# All workflows that run on PR should be skipped for Dependabot PRs +# to prevent wasting CI cycles. +name: 'Dependabot Batcher' +on: + workflow_dispatch: + schedule: + - cron: '0 21 * * 0' # At 9:00 PM every Sunday + +permissions: + pull-requests: write + contents: write + +jobs: + dependabot-batcher: + name: 'Combine Dependabot PRs' + runs-on: ubuntu-latest + steps: + - name: 'Dependabot Batcher' + uses: Legal-and-General/dependabot-batcher@v1.0.2 + with: + token: ${{ secrets.GITHUB_TOKEN }} #required + baseBranchName: 'master' diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 5eb64ee3c73ad..1033917e0c578 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -5,6 +5,7 @@ on: jobs: dependency-review: + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} uses: gravitational/shared-workflows/.github/workflows/dependency-review.yaml@main permissions: contents: read diff --git a/.github/workflows/doc-tests.yaml b/.github/workflows/doc-tests.yaml index c4800de972371..e7ecc07e38bfe 100644 --- a/.github/workflows/doc-tests.yaml +++ b/.github/workflows/doc-tests.yaml @@ -9,6 +9,7 @@ on: jobs: doc-tests: name: Lint (Docs) + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/integration-tests-non-root.yaml b/.github/workflows/integration-tests-non-root.yaml index 72c4c714f2789..829a2bee27684 100644 --- a/.github/workflows/integration-tests-non-root.yaml +++ b/.github/workflows/integration-tests-non-root.yaml @@ -16,6 +16,7 @@ on: jobs: test: name: Integration Tests (Non-root) + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-22.04-16core permissions: diff --git a/.github/workflows/integration-tests-root.yaml b/.github/workflows/integration-tests-root.yaml index 6fb697736c385..5ef21233e7b24 100644 --- a/.github/workflows/integration-tests-root.yaml +++ b/.github/workflows/integration-tests-root.yaml @@ -16,6 +16,7 @@ on: jobs: test: name: Integration Tests (Root) + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-22.04-16core permissions: diff --git a/.github/workflows/label.yaml b/.github/workflows/label.yaml index cb19fb81702ee..28f60ba2f164c 100644 --- a/.github/workflows/label.yaml +++ b/.github/workflows/label.yaml @@ -30,7 +30,7 @@ permissions: jobs: auto-label-pr: name: Label Pull Request - if: ${{ !github.event.pull_request.draft }} + if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-latest steps: # Checkout main branch of shared-workflow repository. diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 6dfff140e242d..4d32b681fb790 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -8,6 +8,7 @@ on: jobs: lint: + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} name: Lint (Go) runs-on: ubuntu-22.04-16core diff --git a/.github/workflows/os-compatibility-test.yaml b/.github/workflows/os-compatibility-test.yaml index 876f9fe982f18..14846a1b26ba5 100644 --- a/.github/workflows/os-compatibility-test.yaml +++ b/.github/workflows/os-compatibility-test.yaml @@ -9,6 +9,7 @@ on: jobs: build: name: OS Compatibility Build + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-22.04-16core permissions: diff --git a/.github/workflows/unit-tests-code.yaml b/.github/workflows/unit-tests-code.yaml index d7d07313eb577..457d2aae15d2e 100644 --- a/.github/workflows/unit-tests-code.yaml +++ b/.github/workflows/unit-tests-code.yaml @@ -16,6 +16,7 @@ on: jobs: test: name: Unit Tests (Go) + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-22.04-32core permissions: diff --git a/.github/workflows/unit-tests-operator.yaml b/.github/workflows/unit-tests-operator.yaml index 65c8e6a90c66e..3d95d5b298564 100644 --- a/.github/workflows/unit-tests-operator.yaml +++ b/.github/workflows/unit-tests-operator.yaml @@ -18,6 +18,7 @@ on: jobs: test: name: Unit Tests (Operator) + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-22.04-16core permissions: diff --git a/.github/workflows/unit-tests-rust.yaml b/.github/workflows/unit-tests-rust.yaml index c68f76c91b8a5..f3812b9546858 100644 --- a/.github/workflows/unit-tests-rust.yaml +++ b/.github/workflows/unit-tests-rust.yaml @@ -16,6 +16,7 @@ on: jobs: test: name: Unit Tests (Rust) + if: ${{ !startsWith(github.head_ref, 'dependabot/') }} runs-on: ubuntu-latest permissions: