From dcc5110d631bb53fe016058f833ed2272a44d67e Mon Sep 17 00:00:00 2001 From: Jake Coffman Date: Fri, 2 May 2025 14:13:28 -0500 Subject: [PATCH] first pass at creating example --- .github/dependabot/go.yml | 18 +++++++++++ .github/workflows/example.yml | 51 ++++++++++++++++++++++++++++++ create.sh | 58 +++++++++++++++++++++++++++++++++++ example/README.md | 3 ++ example/go.mod | 8 +++++ example/go.sum | 4 +++ example/main.go | 8 +++++ 7 files changed, 150 insertions(+) create mode 100644 .github/dependabot/go.yml create mode 100644 .github/workflows/example.yml create mode 100755 create.sh create mode 100644 example/README.md create mode 100644 example/go.mod create mode 100644 example/go.sum create mode 100644 example/main.go diff --git a/.github/dependabot/go.yml b/.github/dependabot/go.yml new file mode 100644 index 0000000..995ed13 --- /dev/null +++ b/.github/dependabot/go.yml @@ -0,0 +1,18 @@ +# This is the input to Dependabot CLI. +# For more examples of what you can do, see the smoke tests: https://github.com/dependabot/smoke-tests/tree/main/tests + +job: + # this is the directory defined in dependabot-core + package-manager: go_modules + allowed-updates: + - dependency-type: direct + update-type: all + experiments: + # unlike with hosted Dependabot, you can control this variable directly + goprivate: "" + source: + provider: github + repo: dependabot/example-cli-usage + # looks absolute, but this is relative to the root of the repo + directory: /example + branch: main diff --git a/.github/workflows/example.yml b/.github/workflows/example.yml new file mode 100644 index 0000000..3c6304c --- /dev/null +++ b/.github/workflows/example.yml @@ -0,0 +1,51 @@ +name: Run Dependabot +on: + workflow_dispatch: + +jobs: + run-dependabot: + permissions: + # Important not to give Dependabot write access in case it runs arbitrary + # code as some ecosystems do. + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Download CLI + run: | + gh release download --repo dependabot/cli -p "*linux-amd64.tar.gz" + tar xzvf *.tar.gz >/dev/null 2>&1 + ./dependabot --version + + - name: Run Dependabot + env: + LOCAL_GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + ./dependabot update -f .github/dependabot/go.yml --timeout 20m > result.jsonl + + - name: Upload result + uses: actions/upload-artifact@v4 + with: + name: dependabot-result + path: result.jsonl + + create-prs: + permissions: + # This job creates PRs, so it needs write access. + contents: write + pull-requests: write + runs-on: ubuntu-latest + needs: run-dependabot + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Download result + uses: actions/download-artifact@v4 + with: + name: dependabot-result + + - name: Create PRs + run: bash create.sh result.jsonl diff --git a/create.sh b/create.sh new file mode 100755 index 0000000..5bcb75f --- /dev/null +++ b/create.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# This script takes a jsonl file as input which is the stdout of a Dependabot CLI run. +# It takes the `type: create_pull_request` events and creates a pull request for each of them +# by using git commands. + +# Note at this time there is minimal error handling. + +set -euo pipefail + +if [ $# -ne 1 ]; then + echo "Usage: $0 " + exit 1 +fi + +INPUT="$1" + +# Parse each create_pull_request event +jq -c 'select(.type == "create_pull_request")' "$INPUT" | while read -r event; do + # Extract fields + BASE_SHA=$(echo "$event" | jq -r '.expect.data."base-commit-sha"') + PR_TITLE=$(echo "$event" | jq -r '.expect.data."pr-title"') + PR_BODY=$(echo "$event" | jq -r '.expect.data."pr-body"') + COMMIT_MSG=$(echo "$event" | jq -r '.expect.data."commit-message"') + BRANCH_NAME="dependabot/$(echo "$PR_TITLE" | tr ' /' '__' | tr -cd '[:alnum:]_-')" + + echo "Processing PR: $PR_TITLE" + echo " Base SHA: $BASE_SHA" + echo " Branch: $BRANCH_NAME" + + # Create and checkout new branch from base commit + git fetch origin + git checkout "$BASE_SHA" + git checkout -b "$BRANCH_NAME" + + # Apply file changes + echo "$event" | jq -c '.expect.data."updated-dependency-files"[]' | while read -r file; do + FILE_PATH=$(echo "$file" | jq -r '.directory + "/" + .name' | sed 's#^/##') + DELETED=$(echo "$file" | jq -r '.deleted') + if [ "$DELETED" = "true" ]; then + git rm -f "$FILE_PATH" || true + else + mkdir -p "$(dirname "$FILE_PATH")" + echo "$file" | jq -r '.content' > "$FILE_PATH" + git add "$FILE_PATH" + fi + done + + # Commit and push + git commit -m "$COMMIT_MSG" + git push origin "$BRANCH_NAME" + + # Create PR using gh CLI + gh pr create --title "$PR_TITLE" --body "$PR_BODY" --base main --head "$BRANCH_NAME" || true + + # Return to main branch for next PR + git checkout main +done diff --git a/example/README.md b/example/README.md new file mode 100644 index 0000000..bd4c26e --- /dev/null +++ b/example/README.md @@ -0,0 +1,3 @@ +# example + +This is an example Go project that will be updated using the example Dependabot CLI workflow. diff --git a/example/go.mod b/example/go.mod new file mode 100644 index 0000000..fa0b62e --- /dev/null +++ b/example/go.mod @@ -0,0 +1,8 @@ +module github.com/dependabot/example-cli-usage/example + +go 1.24.2 + +require ( + golang.org/x/net v0.32.0 + golang.org/x/text v0.21.0 +) diff --git a/example/go.sum b/example/go.sum new file mode 100644 index 0000000..704655a --- /dev/null +++ b/example/go.sum @@ -0,0 +1,4 @@ +golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI= +golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= diff --git a/example/main.go b/example/main.go new file mode 100644 index 0000000..b9f4002 --- /dev/null +++ b/example/main.go @@ -0,0 +1,8 @@ +package example + +import ( + _ "golang.org/x/net/html" + _ "golang.org/x/text" +) + +func main() {}