From b08237eaa4352ffaf330ba02a026c11214975650 Mon Sep 17 00:00:00 2001 From: Valerii Svydenko Date: Thu, 21 May 2026 14:09:14 +0300 Subject: [PATCH 1/2] ci: add workflow to auto-regenerate licenses for Dependabot PRs Co-Authored-By: Claude Opus 4.6 Signed-off-by: Valerii Svydenko --- .github/workflows/dependabot-license.yml | 93 ++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 .github/workflows/dependabot-license.yml diff --git a/.github/workflows/dependabot-license.yml b/.github/workflows/dependabot-license.yml new file mode 100644 index 0000000..d961e42 --- /dev/null +++ b/.github/workflows/dependabot-license.yml @@ -0,0 +1,93 @@ +# +# Copyright (c) 2022-2026 +# This program and the accompanying materials are made +# available under the terms of the Eclipse Public License 2.0 +# which is available at https://www.eclipse.org/legal/epl-2.0/ +# +# SPDX-License-Identifier: EPL-2.0 +# + +name: Dependabot License Update + +on: + pull_request: + types: [opened, synchronize] + branches: + - main + +permissions: + contents: write + +jobs: + update-licenses: + runs-on: ubuntu-22.04 + if: github.actor == 'dependabot[bot]' + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.head_ref }} + fetch-depth: 0 + + - name: Use Node 24 + uses: actions/setup-node@v4 + with: + node-version: 24 + + - name: Install dependencies + run: yarn install + + - name: Regenerate licenses + run: | + MAX_ATTEMPTS=3 + for attempt in $(seq 1 $MAX_ATTEMPTS); do + echo "=== Attempt $attempt of $MAX_ATTEMPTS ===" + + if yarn license:generate; then + echo "License generation succeeded." + break + fi + + if [ ! -f .deps/problems.md ]; then + echo "::error::License generation failed but no problems.md found." + exit 1 + fi + + SECTION="" + while IFS= read -r line; do + if echo "$line" | grep -q "## UNRESOLVED Production dependencies"; then + SECTION="prod" + elif echo "$line" | grep -q "## UNRESOLVED Development dependencies"; then + SECTION="dev" + fi + + PKG=$(echo "$line" | grep -oP '`\K[^`]+' || true) + if [ -z "$PKG" ] || [ -z "$SECTION" ]; then + continue + fi + + EXCLUDED_FILE=".deps/EXCLUDED/${SECTION}.md" + if grep -qF "\`${PKG}\`" "$EXCLUDED_FILE" 2>/dev/null; then + echo "Already excluded: $PKG" + continue + fi + + echo "| \`${PKG}\` | transitive dependency |" >> "$EXCLUDED_FILE" + echo "Added $PKG to $EXCLUDED_FILE" + done < .deps/problems.md + + if [ "$attempt" -eq "$MAX_ATTEMPTS" ]; then + echo "::error::Failed to resolve all dependencies after $MAX_ATTEMPTS attempts." + exit 1 + fi + done + + - name: Commit and push changes + run: | + git diff --quiet .deps/ && exit 0 + + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git add .deps/ + git commit -s -m "chore(deps): regenerate license dependencies" + git push From 0baa14bed1575c63891781d785e191e458bf7442 Mon Sep 17 00:00:00 2001 From: Valerii Svydenko Date: Thu, 21 May 2026 16:38:25 +0300 Subject: [PATCH 2/2] ci: use verified PR user login instead of spoofable actor Co-Authored-By: Claude Opus 4.6 Signed-off-by: Valerii Svydenko --- .github/workflows/dependabot-license.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-license.yml b/.github/workflows/dependabot-license.yml index d961e42..c0bc2b5 100644 --- a/.github/workflows/dependabot-license.yml +++ b/.github/workflows/dependabot-license.yml @@ -21,7 +21,7 @@ permissions: jobs: update-licenses: runs-on: ubuntu-22.04 - if: github.actor == 'dependabot[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' steps: - name: Checkout uses: actions/checkout@v4