ci(workflows): sign commits for @dependabot

Signed-off-by: Lexus Drumgold <unicornware@flexdevelopment.llc>
flex-development · Aug 25, 2022 · 86cd4fb · 86cd4fb
1 parent 7fea72a
commit 86cd4fb
Showing 1 changed file with 31 additions and 9 deletions.
diff --git a/.github/workflows/dependabot-auto.yml b/.github/workflows/dependabot-auto.yml
@@ -14,22 +14,19 @@
 # - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
 # - https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
 # - https://github.com/actions/checkout
-# - https://github.com/actions/setup-node
+# - https://github.com/crazy-max/ghaction-import-gpg
 # - https://github.com/dependabot/fetch-metadata
 # - https://github.com/hmarr/debug-action
 
 ---
 name: dependabot-auto
 on: pull_request
-permissions:
-  contents: write
-  pull-requests: write
 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.PAT_DEPENDABOT }}
   YARN_ENABLE_IMMUTABLE_INSTALLS: false
 jobs:
   dependabot-auto:
-    if: github.actor == 'dependabot[bot]'
+    if: github.actor == 'dependabot[bot]' || github.actor == 'flexdevelopment'
     runs-on: ubuntu-latest
     steps:
       - id: debug
@@ -46,6 +43,27 @@ jobs:
         with:
           persist-credentials: ${{ steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
           ref: ${{ github.head_ref }}
+          token: ${{ env.GITHUB_TOKEN }}
+      - id: gpg-import
+        name: Import GPG key
+        if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
+        uses: crazy-max/ghaction-import-gpg@v5.1.0
+        with:
+          git_commit_gpgsign: true
+          git_config_global: true
+          git_user_signingkey: true
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+      # todo: remove when https://github.com/crazy-max/ghaction-import-gpg/issues/118 is resolved
+      - id: gpg-trust
+        name: Set trust on GPG key
+        if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
+        run: |
+          gpg --no-tty --command-fd 0 --edit-key ${{ steps.gpg-import.outputs.keyid }} << EOTRUST
+          trust
+          5
+          y
+          quit
+          EOTRUST
       - id: lockfile-fix
         name: Fix yarn.lock
         if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
@@ -58,11 +76,15 @@ jobs:
         name: Push yarn.lock
         if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
         run: |
-          git config --global user.name '${{ github.actor }}'
-          git config --global user.email '49699333+${{ github.actor }}@users.noreply.github.com'
           git add yarn.lock
           git status
-          git diff-index --quiet HEAD || git commit -m 'chore(yarn): fix lockfile' && git push -f
+          git diff-index --quiet HEAD || git commit -m "$COMMIT_MESSAGE" && git push -f
+        env:
+          GIT_AUTHOR_EMAIL: ${{ steps.gpg-import.outputs.email }}
+          GIT_AUTHOR_NAME: ${{ steps.gpg-import.outputs.name }}
+          GIT_COMMITTER_EMAIL: ${{ steps.gpg-import.outputs.email }}
+          GIT_COMMITTER_NAME: ${{ steps.gpg-import.outputs.name }}
+          COMMIT_MESSAGE: '[dependabot skip] fix lockfile for @dependabot'
       - id: approve-pr
         name: Approve pull request
         run: gh pr review ${{ github.event.number }} --approve