Skip to content
dependabot-auto

ci(deps): Bump actions/checkout from 4.1.0 to 4.1.1 #839

Sign in to view logs

ci(deps): Bump actions/checkout from 4.1.0 to 4.1.1

ci(deps): Bump actions/checkout from 4.1.0 to 4.1.1 #839

Workflow file for this run

.github/workflows/dependabot-auto.yml at 42621c5
# Dependabot Auto
#
# Enable auto-merge and approve pull requests authored by @dependabot.
#
# Note: @dependabot generates Yarn v1 lockfiles despite this project using a different Yarn version.
# This corrupts the project lockfile. A workaround has been implemented to autofix lockfile format
# and deduplicate dependencies. Check https://github.com/dependabot/dependabot-core/issues/1297 for
# details pertaining to the safe removal of this workflow.
#
# References:
#
# - https://cli.github.com/manual/gh_pr_merge
# - https://cli.github.com/manual/gh_pr_review
# - https://docs.github.com/actions/learn-github-actions/contexts
# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
# - https://docs.github.com/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
# - https://github.com/actions/checkout
# - https://github.com/crazy-max/ghaction-import-gpg
# - https://github.com/dependabot/fetch-metadata
# - https://github.com/hmarr/debug-action
---
name: dependabot-auto
on: pull_request
env:
GITHUB_TOKEN: ${{ secrets.PAT_BOT }}
YARN_ENABLE_IMMUTABLE_INSTALLS: false
jobs:
dependabot-auto:
if: github.actor == 'dependabot[bot]' || github.actor == 'flexdevelopment'
runs-on: ubuntu-latest
steps:
- id: debug
name: Print environment variables and event payload
uses: hmarr/debug-action@v2.1.0
- id: metadata
name: Fetch metadata
uses: dependabot/fetch-metadata@v1.6.0
with:
skip-commit-verification: true
- id: checkout
name: Checkout ${{ github.head_ref }}
uses: actions/checkout@v4.1.1
with:
persist-credentials: ${{ steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' }}
ref: ${{ github.head_ref }}
token: ${{ env.GITHUB_TOKEN }}
- id: gpg-import
name: Import GPG key
if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
uses: crazy-max/ghaction-import-gpg@v6.0.0
with:
git_commit_gpgsign: true
git_config_global: true
git_user_signingkey: true
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
# todo: remove when https://github.com/crazy-max/ghaction-import-gpg/issues/118 is resolved
- id: gpg-trust
name: Set trust on GPG key
if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
run: |
gpg --no-tty --command-fd 0 --edit-key ${{ steps.gpg-import.outputs.keyid }} << EOTRUST
trust
5
y
quit
EOTRUST
- id: lockfile-fix
name: Fix yarn.lock
if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
run: yarn --mode=update-lockfile
- id: dedupe
name: Deduplicate dependencies
if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
run: yarn dedupe --mode=update-lockfile
- id: lockfile-push
name: Push yarn.lock
if: steps.metadata.outputs.package-ecosystem == 'npm_and_yarn'
env:
GIT_AUTHOR_EMAIL: ${{ steps.gpg-import.outputs.email }}
GIT_COMMITTER_EMAIL: ${{ steps.gpg-import.outputs.email }}
COMMIT_MESSAGE: 'build(yarn): [dependabot skip] fix lockfile for @dependabot'
run: |
git add yarn.lock
git status
git diff-index --quiet HEAD || git commit -s -m "$COMMIT_MESSAGE" && git push -f
- id: approve-pr
name: Approve pull request containing minor or patch updates
if: steps.metadata.outputs.update-type != 'version-update:semver-major'
run: gh pr review ${{ github.event.number }} --approve