From 0d0fbaa5e4291cc7bce756e198db9c685ecc4c2d Mon Sep 17 00:00:00 2001 From: PipeItToDevNull Date: Tue, 25 Jun 2024 20:12:40 -0400 Subject: [PATCH 1/5] Remove the devel idea from this, and use SHA for SBOM validation instead --- .github/workflows/build-push-amd64.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-push-amd64.yml b/.github/workflows/build-push-amd64.yml index 42a64dff..403b996e 100644 --- a/.github/workflows/build-push-amd64.yml +++ b/.github/workflows/build-push-amd64.yml @@ -4,7 +4,6 @@ on: push: branches: - main - - devel workflow_dispatch: schedule: - cron: "0 13 * * *" @@ -17,10 +16,6 @@ env: jobs: docker: runs-on: ubuntu-latest - strategy: - matrix: - branch: - - main permissions: contents: write packages: write @@ -29,8 +24,6 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 - with: - ref: ${{ matrix.branch }} - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -53,7 +46,8 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE }} flavor: latest=auto tags: | - type=raw,value={{branch}} + type=sha,enable=true,priority=100,prefix=,suffix=,format=long + type=raw,value=devel,enable=${{ github.ref != format('refs/heads/{0}', 'main') }} type=raw,value=latest,enable={{is_default_branch}} - name: Build and push Docker image @@ -76,8 +70,8 @@ jobs: - name: Generate SBOM uses: anchore/sbom-action@v0 with: - image: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE}}:${{ matrix.branch }} - artifact-name: ${{ env.IMAGE }}-${{ matrix.branch }}.spdx + image: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.IMAGE}}:${{ github.sha }} + artifact-name: ${{ env.IMAGE }}-${{ github.sha }}.spdx format: spdx-json upload-artifact: true upload-artifact-retention: 7 From 991981fc257048c9302b75ad695645954c15ad5d Mon Sep 17 00:00:00 2001 From: PipeItToDevNull Date: Tue, 25 Jun 2024 20:13:32 -0400 Subject: [PATCH 2/5] Add dependabot auto-merging that is dependent on the build succeeding and the updated being a semver patch --- .github/workflows/ci.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e5b37b1c..086a711e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,3 +55,22 @@ jobs: run: npm run build - name: Test run: npm run test + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} + + # This should depend on the backend and frontend builds, then if it is a PR submitted by Dependabot that is a patch it will merge the PR + close_pr: + needs: backend-build && frontend-build + if: github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + - name: Merge PR + if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' + run: gh pr merge --auto --merge "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GH_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file From de12a487dd856045a922e71229f8736c15875df0 Mon Sep 17 00:00:00 2001 From: PipeItToDevNull Date: Tue, 25 Jun 2024 20:16:06 -0400 Subject: [PATCH 3/5] small correction to brackets --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 086a711e..17edfcaf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -69,7 +69,7 @@ jobs: with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Merge PR - if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' + if: steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} From 58f656b9778cf626f50c5a639f03dd0094ae92c7 Mon Sep 17 00:00:00 2001 From: PipeItToDevNull Date: Tue, 25 Jun 2024 20:17:31 -0400 Subject: [PATCH 4/5] remove extraneous pasted line --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 17edfcaf..2a0be96e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,7 +55,6 @@ jobs: run: npm run build - name: Test run: npm run test - GH_TOKEN: ${{secrets.GITHUB_TOKEN}} # This should depend on the backend and frontend builds, then if it is a PR submitted by Dependabot that is a patch it will merge the PR close_pr: From 80ff25fa12e6cad7d08d1d909294705f1e7ea428 Mon Sep 17 00:00:00 2001 From: PipeItToDevNull Date: Tue, 25 Jun 2024 20:20:56 -0400 Subject: [PATCH 5/5] change how needs is arranged --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2a0be96e..e3429966 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -58,7 +58,9 @@ jobs: # This should depend on the backend and frontend builds, then if it is a PR submitted by Dependabot that is a patch it will merge the PR close_pr: - needs: backend-build && frontend-build + needs: + - backend-build + - frontend-build if: github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' runs-on: ubuntu-latest steps: