diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index d9b611e86f..0000000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,44 +0,0 @@ -version: 2 -updates: - - package-ecosystem: npm - directory: "/" - schedule: - # We found daily updates to be too noisy. They consumed too much CI time and engineer review - # time relative to the benefit of being on such a bleeding edge. - interval: monthly - open-pull-requests-limit: 25 - labels: [] # disable default labels - - # Define groups of dependencies to be updated together - # https://github.blog/changelog/2023-06-30-grouped-version-updates-for-dependabot-public-beta/ - groups: - storybook: - patterns: - - "storybook" - - "@storybook/*" - eslint: - patterns: - - "@typescript-eslint/*" - emotion: - patterns: - - "@emotion/*" - jest: - patterns: - - "jest" - - "jest-*" - - "babel-jest" - - "@types/jest" - webpack: - patterns: - - "webpack" - - "webpack-cli" - - "webpack-dev-server" - babel: - patterns: - - "@babel/*" - - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - labels: [] # disable default labels diff --git a/.github/workflows/dependabot-fix.yml b/.github/workflows/dependabot-fix.yml deleted file mode 100644 index 6a3afd2256..0000000000 --- a/.github/workflows/dependabot-fix.yml +++ /dev/null @@ -1,80 +0,0 @@ -# Automatically run `yarn dedupe` for dependabot PRs. -# This is necessary because dependabot doesn't run it automatically: -# https://github.com/dependabot/dependabot-core/issues/5830 -# -# Note: We use the `pull_request_target` event due to GitHub security measures. -# It is important to ensure we don't execute any untrusted PR code in this context. -# See: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/ -# https://securitylab.github.com/research/github-actions-preventing-pwn-requests - -name: Dependabot - -on: - - pull_request_target - -jobs: - fix: - runs-on: ubuntu-latest - if: github.actor == 'dependabot[bot]' - - # IMPORTANT: setting YARN_ENABLE_SCRIPTS=false is critical to ensure that untrusted - # PRs can't add an npm package and then use that to execute untrusted code in - # a trusted context. See links at the top of this workflow for further details. - # See also: https://github.com/yarnpkg/berry/issues/1679#issuecomment-669937860 - env: - YARN_ENABLE_SCRIPTS: false - - steps: - - uses: actions/checkout@v4.1.1 - with: - # Using a Personal Access Token here is required to trigger workflows on our new commit. - # The default GitHub token doesn't trigger any workflows. - # See: https://github.community/t/push-from-action-does-not-trigger-subsequent-action/16854/2 - token: ${{ secrets.FOXGLOVEBOT_GITHUB_TOKEN }} - ref: ${{ github.event.pull_request.head.ref }} - - - run: git lfs pull --include .yarn/ - - - run: corepack enable - - - uses: actions/setup-node@v4.0.2 - with: - node-version: 16.17 - cache: yarn - - - run: yarn install --mode skip-build - env: - # yarn runs in immutable mode "by default" in CI -- turning this off requires an - # undocumented env var - YARN_ENABLE_IMMUTABLE_INSTALLS: false - - - run: yarn dedupe - - - name: Commit yarn.lock - run: | - git config user.name "dependabot[bot]" - git config user.email "49699333+dependabot[bot]@users.noreply.github.com" - git add -u - git commit -m '[dependabot skip] Fix yarn.lock' --allow-empty - git push - - - uses: octokit/request-action@v2.1.9 - if: contains(fromJSON('["opened", "reopened"]'), github.event.action) - env: - GITHUB_TOKEN: ${{ secrets.FOXGLOVEBOT_GITHUB_TOKEN }} - with: - route: POST /repos/{owner_and_repo}/pulls/{pull_number}/reviews - owner_and_repo: ${{ github.repository }} - pull_number: ${{ github.event.pull_request.number }} - event: "APPROVE" - - - uses: octokit/request-action@v2.1.9 - if: contains(fromJSON('["opened", "reopened"]'), github.event.action) - env: - GITHUB_TOKEN: ${{ secrets.FOXGLOVEBOT_GITHUB_TOKEN }} - with: - route: POST /repos/{owner_and_repo}/issues/{pull_number}/comments - owner_and_repo: ${{ github.repository }} - pull_number: ${{ github.event.pull_request.number }} - # two quotes are needed to avoid a syntax error when running the action - body: "'@dependabot squash and merge'"