Run dependabot CI without GitHub secrets (#1204)

Due to https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/, Dependabot PRs don't have access to GH secrets. In particular, that means they can't run e2e tests, and can't deploy a preview app on NPM. So far, we have manually re-run the dependabot PRs to get access to the secrets. This commit makes it so that Dependabot PRs run without e2e tests or NPM preview, so that a human user does not need to be involved. To achieve that, any step of the workflow that requires a GH secret only gets executed if it isn't triggered by dependabot.
inrupt · Mar 25, 2021 · 69447c8 · 69447c8
1 parent dd70873
commit 69447c8
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 8 deletions.
diff --git a/.github/workflows/cd-preview.yml b/.github/workflows/cd-preview.yml
@@ -1,16 +1,17 @@
 name: CD-preview
 
-on:
-  push:
-    branches-ignore:
-      - dependabot/*
+on: [push, workflow_dispatch]
 
 env:
   CI: true
 jobs:
   dev-release-npm:
     name: "NPM release under a dev tag"
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
+    # Dependabot cannot access secrets, so it doesn't have a token to publish to NPM.
+    # Since all the other jobs of this workflow depend on this one, skipping it should
+    # skip the entire workflow.
+    if: ${{ github.actor != 'dependabot' }}
     outputs:
       version-nr: ${{ steps.determine-npm-version.outputs.version-nr }}
     steps:

diff --git a/.github/workflows/cd-teardown.yml b/.github/workflows/cd-teardown.yml
@@ -7,7 +7,10 @@ env:
 jobs:
   unpublish-npm:
     runs-on: ubuntu-20.04
-    if: github.event.ref_type == 'branch'
+    # Dependabot cannot access secrets, so it doesn't have a token to publish to NPM.
+    # Since all the other jobs of this workflow depend on this one, skipping it should
+    # skip the entire workflow.
+    if: ${{github.event.ref_type == 'branch' && github.actor != 'dependabot'}} 
     steps:
     - name: Prepare for unpublication from npm
       uses: actions/[email protected]

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,6 +1,6 @@
 name: CI
 
-on: [push]
+on: [push, workflow_dispatch]
 
 env:
   CI: true
@@ -29,7 +29,11 @@ jobs:
       - run: npm run bootstrap -- --ci
       - run: npm run build
       - run: npm run test
-      - run: npm run e2e-test
+      - # Dependabot cannot access secrets, so it doesn't have a token to authenticate to ESS.
+        # Since all the other jobs of this workflow depend on this one, skipping it should
+        # skip the entire workflow.
+        if: ${{ github.actor != 'dependabot' }}
+        run: npm run e2e-test
         env: 
           E2E_TEST_REFRESH_TOKEN: ${{ secrets.E2E_TEST_REFRESH_TOKEN }}
           E2E_TEST_CLIENT_ID: ${{ secrets.E2E_TEST_CLIENT_ID }}

diff --git a/.github/workflows/e2e-browser.yml b/.github/workflows/e2e-browser.yml
@@ -20,6 +20,10 @@ jobs:
           path: e2e/browser/node_modules
           key: ${{ runner.os }}-node${{ runner.node-version }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
       - name: Run tests
+        # Dependabot cannot access secrets, so it doesn't have a token to authenticate to ESS.
+        # Since all the other jobs of this workflow depend on this one, skipping it should
+        # skip the entire workflow.
+        if: ${{ github.actor != 'dependabot' }}
         run: |
           cd e2e/browser;
           npm ci;