Skip to content

add scheduled dependency autoupdate workflow#12

Merged
vzakharchenko merged 1 commit into
mainfrom
ci/dependency-autoupdate-workflow
May 19, 2026
Merged

add scheduled dependency autoupdate workflow#12
vzakharchenko merged 1 commit into
mainfrom
ci/dependency-autoupdate-workflow

Conversation

@vzakharchenko
Copy link
Copy Markdown
Member

@vzakharchenko vzakharchenko commented May 19, 2026

Two new workflows under .github/workflows/:

  • autoupdate.yml runs every 6h (and on-demand via workflow_dispatch). Adapted from the keycloak-radius-plugin pattern but driven by scripts/update-dependencies.sh instead of an ad-hoc shell script:

    • Checkout main with AUTOUPDATE_PAT so the PR creator is the same identity that authored prior PRs (passes branch-protection rules around required reviewers).
    • Set up Temurin JDK 21 with Maven cache; deliberately no actions/setup-node — frontend-maven-plugin downloads Node + npm into target/ from our pom, so the runner stays minimal.
    • Maintain a 'dependencies_updated' label, close superseded PRs, and sweep orphan dependencies/auto-* branches from prior failed runs.
    • Run the existing update-dependencies.sh end-to-end (library reactor via versions-maven-plugin, sample frontend via the frontend-maven-plugin npm-upgrade-deps goal).
    • If anything changed, branch dependencies/auto-YYYY-MM-DD, commit with SKIP_HOOKS=1 (CI re-runs the build anyway), force-push, open PR with the auto-merge label.

  • automerge.yml enables GitHub auto-merge on any PR opened by dependabot[bot] or labelled dependencies_updated, so the autoupdate PR self-merges as soon as required checks pass.

Also tightens scripts/update-dependencies.sh: the frontend npm leg now invokes mvn initialize com.github.eirslett:frontend-maven-plugin:npm@npm-upgrade-deps in one chained command, ensuring install-node-and-npm and npm-install run before npm-upgrade-deps (without this, ncu was not yet on the PATH from a fresh checkout and the goal failed at the first command).

Manual prerequisites in the repository (outside this commit):

  • Add an AUTOUPDATE_PAT repository secret with repo + workflow scopes, owned by a maintainer who can satisfy branch-protection.
  • Allow GitHub Actions to create PRs (Settings → Actions → General).

@vzakharchenko @claude
add scheduled dependency autoupdate workflow
5bf67d4 
Two new workflows under .github/workflows/:

- autoupdate.yml runs every 6h (and on-demand via workflow_dispatch).
  Adapted from the keycloak-radius-plugin pattern but driven by
  scripts/update-dependencies.sh instead of an ad-hoc shell script:
  * Checkout main with AUTOUPDATE_PAT so the PR creator is the same
    identity that authored prior PRs (passes branch-protection rules
    around required reviewers).
  * Set up Temurin JDK 21 with Maven cache; deliberately *no*
    actions/setup-node — frontend-maven-plugin downloads Node + npm
    into target/ from our pom, so the runner stays minimal.
  * Maintain a 'dependencies_updated' label, close superseded PRs,
    and sweep orphan dependencies/auto-* branches from prior failed
    runs.
  * Run the existing update-dependencies.sh end-to-end (library
    reactor via versions-maven-plugin, sample frontend via the
    frontend-maven-plugin npm-upgrade-deps goal).
  * If anything changed, branch dependencies/auto-YYYY-MM-DD, commit
    with SKIP_HOOKS=1 (CI re-runs the build anyway), force-push, open
    PR with the auto-merge label.

- automerge.yml enables GitHub auto-merge on any PR opened by
  dependabot[bot] or labelled dependencies_updated, so the autoupdate
  PR self-merges as soon as required checks pass.

Also tightens scripts/update-dependencies.sh: the frontend npm leg
now invokes `mvn initialize com.github.eirslett:frontend-maven-plugin:npm@npm-upgrade-deps`
in one chained command, ensuring install-node-and-npm and npm-install
run before npm-upgrade-deps (without this, ncu was not yet on the
PATH from a fresh checkout and the goal failed at the first command).

Manual prerequisites in the repository (outside this commit):
- Add an AUTOUPDATE_PAT repository secret with `repo` + `workflow`
  scopes, owned by a maintainer who can satisfy branch-protection.
- Allow GitHub Actions to create PRs (Settings → Actions → General).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 19, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@qltysh
Copy link
Copy Markdown

qltysh Bot commented May 19, 2026

Qlty


Coverage Impact

This PR will not change total coverage.

🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@vzakharchenko vzakharchenko merged commit bde6397 into main May 19, 2026
9 checks passed
@vzakharchenko vzakharchenko deleted the ci/dependency-autoupdate-workflow branch May 19, 2026 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vzakharchenko