update

.github/workflows/automerge-dependabot-prs-into-collected-branch.yml

@@ -0,0 +1,58 @@
+# qqqq in development
+# This script seperate major and minor but we do merge them into the same branch. 
+# Having two steps allows us to easily turn off major changes in future and then script them to their own branch and pipeline.
+name: Auto-merge Dependabot PRs into collected branch
+on:
+  pull_request:
+  # synchronize
+    types: [opened]
+    branches: [Automatic_version_update_dependabot]  # Make sure this matches your actual branch name
+  check_suite:
+    types: [completed]    
+  workflow_dispatch:
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  debug:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Debug info
+        run: |
+          echo "Actor: ${{ github.actor }}"
+          echo "PR Title: ${{ github.event.pull_request.title }}"
+          echo "Target Branch: ${{ github.event.pull_request.base.ref }}"
+          echo "Source Branch: ${{ github.event.pull_request.head.ref }}"
+          - name: Wait for other checks to start
+      - name: Delay for check
+        run: |
+          # drop later qqqq shouldnt need but its running before auto
+          echo "Waiting 4 minutes for other checks to start running..."
+          sleep 240
+  auto-merge:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]' || github.event_name == 'workflow_dispatch'
+    steps:
+      - name: Extract update type
+        id: extract
+        run: |
+          PR_TITLE="${{ github.event.pull_request.title }}"
+          if [[ $PR_TITLE == *"(major)"* ]]; then
+            echo "update_type=major" >> $GITHUB_OUTPUT
+          else
+            echo "update_type=minor_or_patch" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Auto-merge minor and patch updates
+        if: steps.extract.outputs.update_type == 'minor_or_patch'
+        # Auto should set the the request to merge once checks complete
+        run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge major updates
+        if: steps.extract.outputs.update_type == 'major'
+        run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/collected-dependabot-staging-to-master.yml

@@ -0,0 +1,49 @@
+# qqqq in development
+name: Collected Dependabot Promotion From Staging To Master
+on:
+  schedule:
+    # we want the opposite weeks to staging so we get a week where it occurs in manual testing
+    - cron: '0 9 8-14 * 1'  # Second Monday of month
+    - cron: '0 9 22-28 * 1' # Fourth Monday of month
+  workflow_dispatch:
+
+jobs:
+  promote-to-master:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check for changes
+        id: changes
+        run: |
+          git fetch origin Automatic_collected_dependabot_staging:Automatic_collected_dependabot_staging
+          git fetch origin master:master  # or main/master - whatever your prod branch is
+
+          if git diff --quiet master Automatic_collected_dependabot_staging; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create PR to master
+        if: steps.changes.outputs.has_changes == 'true'
+        run: |
+          if gh pr list --head Automatic_collected_dependabot_staging --base master --json number --jq '.[0].number' | grep -q .; then
+            echo "PR already exists, skipping creation"
+          else
+            gh pr create \
+              --base master \
+              --head Automatic_collected_dependabot_staging \
+              --title "Fortnightly dependabot collected master promotion - $(date +%Y-%m-%d)" \
+              --body "Automated weekly promotion from staging to master after testing period" \
+              --auto-merge \
+              --merge
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/collected-dependabot-to-staging.yml

@@ -0,0 +1,46 @@
+# qqqq in development
+name: Dependabot Collected Promotion To Staging
+# this logic will require branch ruleset checks of running the dev pipeline
+on:
+  schedule:
+    # Promotion from staging to release should be a week apart so alternating weeks (also live updates dangerous)
+    - cron: '0 9 1-7 * 1'   # First Monday of month
+    - cron: '0 9 15-21 * 1' # Third Monday of month
+  workflow_dispatch:  # Allow manual trigger
+
+jobs:
+  promote-to-automatic-collected-dependabot-staging:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check for changes
+        id: changes
+        run: |
+          git fetch origin Automatic_version_update_dependabot:Automatic_version_update_dependabot
+          git fetch origin Automatic_collected_dependabot_staging:Automatic_collected_dependabot_staging
+
+          if git diff --quiet Automatic_collected_dependabot_staging Automatic_version_update_dependabot; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create PR to Automatic_collected_dependabot_staging
+        if: steps.changes.outputs.has_changes == 'true'
+        run: |
+          gh pr create \
+            --base Automatic_collected_dependabot_staging \
+            --head Automatic_version_update_dependabot \
+            --title "Fortnightly dependabot collected to staging - $(date +%Y-%m-%d)" \
+            --body "Automated Fortnightly promotion of dependency updates from dependabot" \
+            --auto-merge \
+            --merge
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dev.yml

@@ -4,6 +4,10 @@ on:
     branches-ignore:
       - 'main'
       - 'master'
+      # We currently dont intend to test the showcase per package bump so wont run for package bumps
+      # we will run on the collected bumps merging though
+      - 'dependabot/**'
+
   workflow_dispatch:
 
 permissions:
@@ -83,15 +87,40 @@ jobs:
           echo "Semantic Release packages installed."
           npm ls --depth=0 # Debug: List installed packages
 
-      #configured with .releaseserc
+      # Configured with .releaseserc
       # Dry run we are not versioning the repo
       - name: Run dev semantic version (None Blocking)
         id: detect_semantic_version
         run: |
+          echo "error catch run of semver first to get any error detail on config issues"
+          set +e
+          SEMVER_OUTPUT_RAW_ERROR_CHECK=$(npx semantic-release --dry-run 2> /tmp/semantic-release-errors.log)
+          STATUS_ERROR_CHECK=$?
+
+          # Now you can check the status and log the error messages if an error occurred
+          if [ $STATUS_ERROR_CHECK -ne 0 ]; then
+            echo "❌ Semantic release failed with exit code $STATUS_ERROR_CHECK."
+            echo "❌ Error output:"
+            cat /tmp/semantic-release-errors.log
+          else
+            echo "✅ Semantic Ouput success : $SEMVER_OUTPUT_RAW_ERROR_CHECK "
+            echo "✅ Error on success : $STATUS_ERROR_CHECK"
+          fi
+
+          set -e
+
 
           echo "running semantic-release"
-          SEMVER_OUTPUT_RAW=$(npx semantic-release --dry-run 2>&1)
-          STATUS=$?
+          semver_output_raw=$(npx semantic-release --dry-run 2>&1)
+          status=$?
+
+          # Now you can check the status and log the error messages if an error occurred
+          if [ $STATUS -ne 0 ]; then
+            echo "Semantic release failed with exit code $STATUS."
+            echo "Error output:"
+            cat /tmp/semantic-release-errors.log
+          fi
+
           echo "status = $STATUS"
           echo "$SEMVER_OUTPUT_RAW"          
 
@@ -357,5 +386,4 @@ jobs:
             -H "Authorization: Bearer $TEL_GIT_PACKAGES_TOKEN" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
             https://api.github.com/repos/$repo_owner/$repo_name/dispatches \
-            -d "{\"event_type\": \"$event_type\", \"client_payload\": {\"artifact_url\": \"$artifact_url\"}}"      
-
+            -d "{\"event_type\": \"$event_type\", \"client_payload\": {\"artifact_url\": \"$artifact_url\"}}"      

.github/workflows/reuseable-ci-checks.yml

@@ -198,17 +198,20 @@ jobs:
             fetch-depth: 0
 
         - name: Check branch and run commitlint
+          id: check_branch_and_run_commitlint
           run: |
             BRANCH_NAME="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
             echo "Branch name: $BRANCH_NAME"
-            if [[ "$BRANCH_NAME" =~ ^dependabot/ ]]; then
-              echo "✅ Branch is a dependabot branch - skipping commitlint"
-              exit 0
+            if [[ "$BRANCH_NAME" =~ ^dependabot/ ]] || [[ "$AUTHOR_NAME" == "dependabot[bot]" ]] || [[ "$COMMIT_MSG" =~ ^Bump ]]; then
+              echo "✅ Branch is a dependabot branch - skipping commitlint ✅"
+              echo "skip=true" >> $GITHUB_OUTPUT
             else
               echo "Regular branch - will run commitlint in next step"
+              echo "skip=false" >> $GITHUB_OUTPUT
             fi
 
         - name: Run commitlint action
+          if: steps.check_branch_and_run_commitlint.outputs.skip != 'true'
           uses: wagoid/commitlint-github-action@v5
           with:
             configFile: .commitlintrc.json

.github/workflows/workflow-readme.md

@@ -81,6 +81,68 @@ The individual steps also automatically pass so can see if any error at the end
 # Notes
 - doesnt run easily with nektos act due to git ref checks and calling other workflows
 - for tests use the run-tests-and-report-with-env-values.ps1 file
-
+- dependabot duplicates tokens using dependabot secrets including write so can run checks
+- autoverging is being tried for major and minor
+- branch checks must pass for merge on automated_version
+- checks required but overrideable for all workflows
 ## Versioning
 Via semantic release and recorded as a generate c# file used by a blazor component
+
+## Alternative Approaches
+
+```
+name: Pull Request Checks
+
+# ⚠️ pull_request_target is dangerous it allows secrets to be used by forks and bots, ⚠️ 
+# ⚠️ we want dependabot only to be using these secrets so addition logic requires an "if" for every job ⚠️
+# We will restrict it by making pull_request_target only for the Automatic_version_update_dependabot and then use
+# an if to ensure its only by dependabot
+
+on:
+  pull_request:
+    branches: ['**']                # Run on all branches
+    branches-ignore: ['dependabot/**']  # Skip Dependabot PRs
+  pull_request_target:
+    branches: ['Automatic_version_update_dependabot']  # Base branch for Dependabot PRs
+  workflow_dispatch:
+
+jobs:
+  dummy:
+    if: |
+      (github.actor == 'dependabot[bot]' && 
+      startsWith(github.head_ref, 'dependabot/') &&
+      github.event_name == 'pull_request_target')
+      ||
+      (github.actor != 'dependabot[bot]' && github.event_name == 'pull_request')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dummy Step
+        run: echo "This is a dummy job to allow workflow_dispatch"
+
+  pull-request-call-reusable-ci-checks-workflow:
+    if: |
+      (github.actor == 'dependabot[bot]' && 
+      startsWith(github.head_ref, 'dependabot/') &&
+      github.event_name == 'pull_request_target')
+      ||
+      (github.actor != 'dependabot[bot]' && github.event_name == 'pull_request')
+    name: Pull Request run CI Checks
+    uses: ./.github/workflows/reuseable-ci-checks.yml
+    needs: dummy
+    with:
+      runall: true
+
+    # could try secrets:inherit QQQQ
+    secrets:
+      UNITTESTS_APPSETTINGS_DEVELOPMENT: ${{ secrets.UNITTESTS_APPSETTINGS_DEVELOPMENT }}
+      WASMSTATICCLIENT_APPSETTINGS_DEVELOPMENT: ${{ secrets.WASMSTATICCLIENT_APPSETTINGS_DEVELOPMENT }}
+      WASMSERVERHOSTCLIENT_APPSETTINGS_DEVELOPMENT: ${{ secrets.WASMSERVERHOSTCLIENT_APPSETTINGS_DEVELOPMENT }}
+      WASMSERVERHOST_APPSETTINGS_DEVELOPMENT: ${{ secrets.WASMSERVERHOST_APPSETTINGS_DEVELOPMENT }}
+      TEL_GIT_PACKAGES_TOKEN: ${{secrets.NUGETKEY }}
+
+      UNITTESTS_APPSETTINGS_PRODUCTION: ${{ secrets.UNITTESTS_APPSETTINGS_PRODUCTION }}
+      WASMSTATICCLIENT_APPSETTINGS_PRODUCTION: ${{ secrets.WASMSTATICCLIENT_APPSETTINGS_PRODUCTION }}
+      WASMSERVERHOSTCLIENT_APPSETTINGS_PRODUCTION: ${{ secrets.WASMSERVERHOSTCLIENT_APPSETTINGS_PRODUCTION }}
+      WASMSERVERHOST_APPSETTINGS_PRODUCTION: ${{ secrets.WASMSERVERHOST_APPSETTINGS_PRODUCTION }}
+
+```

.gitignore

@@ -236,3 +236,4 @@ TELBlazor.Components.ShowCase.E2ETests.WasmServerHost/Logs/*
 
 # Generated version info files
 TELBlazor.Components/TELBlazorPackageVersion/VersionInfo*.cs
+/.github/workflows/test.yml

.releaserc.json

@@ -6,6 +6,10 @@
     {
       "name": "Automatic_version_update_dependabot"
     },
+    {
+      "name": "Automatic_collected_dependabot_staging",
+      "prerelease": "dependabot-staging"
+    },
     {
       "name": "feat-*",
       "prerelease": true