From 49e2230fb2963af19508635994c9a4fdc531e76d Mon Sep 17 00:00:00 2001 From: Steve Repsher Date: Tue, 20 Dec 2022 19:59:03 +0000 Subject: [PATCH 1/6] Add workflow job to deduplicate dependabot pull requests --- .github/workflows/ci.yaml | 99 +++++++++++++++++++++++++++++++++------ 1 file changed, 85 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 63f2305ff154..3d1d24aa3757 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,21 +15,82 @@ env: NODE_OPTIONS: --max_old_space_size=6144 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +permissions: {} + jobs: + dedupe: + name: Deduplicate dependencies + # Skip unless this is a dependabot pull request + if: | + github.actor == 'dependabot[bot]' && + startsWith(github.head_ref, 'dependabot/npm_and_yarn/') + permissions: + contents: write + runs-on: ubuntu-latest + outputs: + # Downstream jobs need to use this SHA to get the dedupe commit + sha: ${{ steps.get-sha.outputs.sha }} + steps: + - name: Check out files from GitHub + uses: actions/checkout@v3 + with: + # Checkout PR head instead of merge commit + # Use ref, not SHA, so reruns get the dedupe commit + ref: ${{ github.event.pull_request.head.ref }} + - name: Set up Node ${{ env.NODE_VERSION }} + uses: actions/setup-node@v3 + with: + node-version: ${{ env.NODE_VERSION }} + cache: yarn + - name: Install dependencies + # Do not run build scripts as a security measure since job has write permissions + run: yarn install --immutable --mode=skip-build + - name: Deduplicate dependencies + run: yarn dedupe --mode=skip-build + - name: Commit changes + run: | + git config user.name "GitHub Action" + git config user.email "github-action@users.noreply.github.com" + git add yarn.lock + git commit -m "Deduplicate dependencies" || exit 0 + git push origin HEAD:$GITHUB_HEAD_REF + echo "DEDUPED=true" >> $GITHUB_ENV + - name: Output updated SHA for merge commit + id: get-sha + shell: bash + timeout-minutes: 15 + run: | + if [ -v DEDUPED ]; then + echo "Waiting for GitHub to do the mergability check and update the commit SHA..." + while [ -z "$sha" -o "$sha" == "$GITHUB_SHA" ]; do + sleep 5s + sha=`git ls-remote origin $GITHUB_REF | awk '{print $1}'` + done + else + echo "No deduplication required so using current merge commit SHA" + # Still need to query remote here in case of rerun where previous attempt was deduplicated + sha=`git ls-remote origin $GITHUB_REF | awk '{print $1}'` + fi + echo "Done - SHA is $sha" + echo "sha=$sha" >> $GITHUB_OUTPUT lint: + name: Lint and check format + needs: dedupe + # Allow dedupe job to be skipped + if: ${{ !failure() && !cancelled() }} runs-on: ubuntu-latest steps: - name: Check out files from GitHub uses: actions/checkout@v3 + with: + ref: ${{ needs.dedupe.outputs.sha }} - name: Set up Node ${{ env.NODE_VERSION }} uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: yarn - name: Install dependencies - run: yarn install - env: - CI: true + run: yarn install --immutable - name: Build resources run: ./node_modules/.bin/gulp gen-icons-json build-translations build-locale-data gather-gallery-pages - name: Run eslint @@ -41,57 +102,67 @@ jobs: - name: Check for duplicate dependencies run: yarn dedupe --check test: + name: Run tests + needs: dedupe + # Allow dedupe job to be skipped + if: ${{ !failure() && !cancelled() }} runs-on: ubuntu-latest steps: - name: Check out files from GitHub uses: actions/checkout@v3 + with: + ref: ${{ needs.dedupe.outputs.sha }} - name: Set up Node ${{ env.NODE_VERSION }} uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: yarn - name: Install dependencies - run: yarn install - env: - CI: true + run: yarn install --immutable - name: Build resources run: ./node_modules/.bin/gulp build-translations build-locale-data - name: Run Tests run: yarn run test build: + name: Build frontend + needs: [dedupe, lint, test] + # Allow dedupe job to be skipped + if: ${{ !failure() && !cancelled() }} runs-on: ubuntu-latest - needs: [lint, test] steps: - name: Check out files from GitHub uses: actions/checkout@v3 + with: + ref: ${{ needs.dedupe.outputs.sha }} - name: Set up Node ${{ env.NODE_VERSION }} uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: yarn - name: Install dependencies - run: yarn install - env: - CI: true + run: yarn install --immutable - name: Build Application run: ./node_modules/.bin/gulp build-app env: IS_TEST: "true" supervisor: - runs-on: ubuntu-latest + name: Build supervisor needs: [lint, test] + # Allow dedupe job to be skipped + if: ${{ !failure() && !cancelled() }} + runs-on: ubuntu-latest steps: - name: Check out files from GitHub uses: actions/checkout@v3 + with: + ref: ${{ needs.dedupe.outputs.sha }} - name: Set up Node ${{ env.NODE_VERSION }} uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: yarn - name: Install dependencies - run: yarn install - env: - CI: true + run: yarn install --immutable - name: Build Application run: ./node_modules/.bin/gulp build-hassio env: From 997455932f0f22a06d46f7fa65926171320c1c05 Mon Sep 17 00:00:00 2001 From: Steve Repsher Date: Wed, 21 Dec 2022 14:01:39 +0000 Subject: [PATCH 2/6] Update bash style to quote variables and use [[ and $() --- .github/workflows/ci.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3d1d24aa3757..a6151af742fb 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -53,26 +53,26 @@ jobs: git config user.email "github-action@users.noreply.github.com" git add yarn.lock git commit -m "Deduplicate dependencies" || exit 0 - git push origin HEAD:$GITHUB_HEAD_REF - echo "DEDUPED=true" >> $GITHUB_ENV + git push origin "HEAD:${GITHUB_HEAD_REF}" + echo "DEDUPED=true" >> "${GITHUB_ENV}" - name: Output updated SHA for merge commit id: get-sha shell: bash timeout-minutes: 15 run: | - if [ -v DEDUPED ]; then + if [[ -v DEDUPED ]]; then echo "Waiting for GitHub to do the mergability check and update the commit SHA..." - while [ -z "$sha" -o "$sha" == "$GITHUB_SHA" ]; do + while [[ -z "${sha}" || "${sha}" == "${GITHUB_SHA}" ]]; do sleep 5s - sha=`git ls-remote origin $GITHUB_REF | awk '{print $1}'` + sha=$(git ls-remote origin "${GITHUB_REF}" | awk '{print $1}') done else echo "No deduplication required so using current merge commit SHA" # Still need to query remote here in case of rerun where previous attempt was deduplicated - sha=`git ls-remote origin $GITHUB_REF | awk '{print $1}'` + sha=$(git ls-remote origin "${GITHUB_REF}" | awk '{print $1}') fi - echo "Done - SHA is $sha" - echo "sha=$sha" >> $GITHUB_OUTPUT + echo "Done - SHA is ${sha}" + echo "sha=${sha}" >> "${GITHUB_OUTPUT}" lint: name: Lint and check format needs: dedupe From de03c9610b43daacd2249c94876a1399bcb02631 Mon Sep 17 00:00:00 2001 From: Steve Repsher Date: Mon, 6 Feb 2023 20:44:02 +0000 Subject: [PATCH 3/6] Revise to use separate workflow with GitHub app --- .github/workflows/ci.yaml | 77 +---------------------------------- .github/workflows/dedupe.yaml | 50 +++++++++++++++++++++++ 2 files changed, 51 insertions(+), 76 deletions(-) create mode 100644 .github/workflows/dedupe.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 40ac8b224bd5..d9e4751ae842 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,75 +15,13 @@ env: NODE_OPTIONS: --max_old_space_size=6144 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -permissions: {} - jobs: - dedupe: - name: Deduplicate dependencies - # Skip unless this is a dependabot pull request - if: | - github.actor == 'dependabot[bot]' && - startsWith(github.head_ref, 'dependabot/npm_and_yarn/') - permissions: - contents: write - runs-on: ubuntu-latest - outputs: - # Downstream jobs need to use this SHA to get the dedupe commit - sha: ${{ steps.get-sha.outputs.sha }} - steps: - - name: Check out files from GitHub - uses: actions/checkout@v3.3.0 - with: - # Checkout PR head instead of merge commit - # Use ref, not SHA, so reruns get the dedupe commit - ref: ${{ github.event.pull_request.head.ref }} - - name: Set up Node ${{ env.NODE_VERSION }} - uses: actions/setup-node@v3.6.0 - with: - node-version: ${{ env.NODE_VERSION }} - cache: yarn - - name: Install dependencies - # Do not run build scripts as a security measure since job has write permissions - run: yarn install --immutable --mode=skip-build - - name: Deduplicate dependencies - run: yarn dedupe --mode=skip-build - - name: Commit changes - run: | - git config user.name "GitHub Action" - git config user.email "github-action@users.noreply.github.com" - git add yarn.lock - git commit -m "Deduplicate dependencies" || exit 0 - git push origin "HEAD:${GITHUB_HEAD_REF}" - echo "DEDUPED=true" >> "${GITHUB_ENV}" - - name: Output updated SHA for merge commit - id: get-sha - shell: bash - timeout-minutes: 15 - run: | - if [[ -v DEDUPED ]]; then - echo "Waiting for GitHub to do the mergability check and update the commit SHA..." - while [[ -z "${sha}" || "${sha}" == "${GITHUB_SHA}" ]]; do - sleep 5s - sha=$(git ls-remote origin "${GITHUB_REF}" | awk '{print $1}') - done - else - echo "No deduplication required so using current merge commit SHA" - # Still need to query remote here in case of rerun where previous attempt was deduplicated - sha=$(git ls-remote origin "${GITHUB_REF}" | awk '{print $1}') - fi - echo "Done - SHA is ${sha}" - echo "sha=${sha}" >> "${GITHUB_OUTPUT}" lint: name: Lint and check format - needs: dedupe - # Allow dedupe job to be skipped - if: ${{ !failure() && !cancelled() }} runs-on: ubuntu-latest steps: - name: Check out files from GitHub uses: actions/checkout@v3.3.0 - with: - ref: ${{ needs.dedupe.outputs.sha }} - name: Set up Node ${{ env.NODE_VERSION }} uses: actions/setup-node@v3.6.0 with: @@ -103,15 +41,10 @@ jobs: run: yarn dedupe --check test: name: Run tests - needs: dedupe - # Allow dedupe job to be skipped - if: ${{ !failure() && !cancelled() }} runs-on: ubuntu-latest steps: - name: Check out files from GitHub uses: actions/checkout@v3.3.0 - with: - ref: ${{ needs.dedupe.outputs.sha }} - name: Set up Node ${{ env.NODE_VERSION }} uses: actions/setup-node@v3.6.0 with: @@ -125,15 +58,11 @@ jobs: run: yarn run test build: name: Build frontend - needs: [dedupe, lint, test] - # Allow dedupe job to be skipped - if: ${{ !failure() && !cancelled() }} + needs: [lint, test] runs-on: ubuntu-latest steps: - name: Check out files from GitHub uses: actions/checkout@v3.3.0 - with: - ref: ${{ needs.dedupe.outputs.sha }} - name: Set up Node ${{ env.NODE_VERSION }} uses: actions/setup-node@v3.6.0 with: @@ -148,14 +77,10 @@ jobs: supervisor: name: Build supervisor needs: [lint, test] - # Allow dedupe job to be skipped - if: ${{ !failure() && !cancelled() }} runs-on: ubuntu-latest steps: - name: Check out files from GitHub uses: actions/checkout@v3.3.0 - with: - ref: ${{ needs.dedupe.outputs.sha }} - name: Set up Node ${{ env.NODE_VERSION }} uses: actions/setup-node@v3.6.0 with: diff --git a/.github/workflows/dedupe.yaml b/.github/workflows/dedupe.yaml new file mode 100644 index 000000000000..8692e2de0e59 --- /dev/null +++ b/.github/workflows/dedupe.yaml @@ -0,0 +1,50 @@ +name: Deduplicate Dependabot + +on: + push: + branches: + - dependabot/npm_and_yarn/* + +env: + NODE_VERSION: 16 + NODE_OPTIONS: --max_old_space_size=6144 + +permissions: + contents: write + +jobs: + dedupe: + name: Deduplicate dependencies + # Only trigger on initial commit from dependabot + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Generate app token + # Use a GitHub app to checkout and commit in order to re-trigger the CI workflow + # (because actions with GITHUB_TOKEN do not trigger new events) + id: generate_token + uses: tibdex/github-app-token@v1.7.0 + with: + app_id: ${{ secrets.HA_COMMITTER_APP_ID }} + private_key: ${{ secrets.HA_COMMITTER_PRIVATE_KEY }} + - name: Check out files from GitHub + uses: actions/checkout@v3.3.0 + with: + token: ${{ steps.generate_token.outputs.token }} + - name: Set up Node ${{ env.NODE_VERSION }} + uses: actions/setup-node@v3.6.0 + with: + node-version: ${{ env.NODE_VERSION }} + cache: yarn + - name: Install dependencies + # Do not run build scripts as a security measure since job has write permissions + run: yarn install --immutable --mode=skip-build + - name: Deduplicate dependencies + run: yarn dedupe --mode=skip-build + - name: Commit changes + run: | + git config user.name "Home Assistant Committer" + git config user.email "hello@home-assistant.io" + git add yarn.lock + git commit -m "Deduplicate dependencies" || exit 0 + git push origin "HEAD:${GITHUB_HEAD_REF}" From 7c1b2e01fec93f8fb736e13b9d438947264c2a8d Mon Sep 17 00:00:00 2001 From: Steve Repsher Date: Mon, 6 Feb 2023 21:12:26 +0000 Subject: [PATCH 4/6] Add concurrency rules to cancel workflows in progress --- .github/workflows/ci.yaml | 4 ++++ .github/workflows/dedupe.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d9e4751ae842..a0a15070fd55 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,6 +15,10 @@ env: NODE_OPTIONS: --max_old_space_size=6144 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: lint: name: Lint and check format diff --git a/.github/workflows/dedupe.yaml b/.github/workflows/dedupe.yaml index 8692e2de0e59..74731dad590f 100644 --- a/.github/workflows/dedupe.yaml +++ b/.github/workflows/dedupe.yaml @@ -12,6 +12,10 @@ env: permissions: contents: write +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: dedupe: name: Deduplicate dependencies From bb6fb5fb89caee65d0a73379eb2a645618c31499 Mon Sep 17 00:00:00 2001 From: Steve Repsher Date: Mon, 6 Feb 2023 21:16:38 +0000 Subject: [PATCH 5/6] Move dedupe check up to fail faster --- .github/workflows/ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a0a15070fd55..5bb593d7e923 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -33,6 +33,8 @@ jobs: cache: yarn - name: Install dependencies run: yarn install --immutable + - name: Check for duplicate dependencies + run: yarn dedupe --check - name: Build resources run: ./node_modules/.bin/gulp gen-icons-json build-translations build-locale-data gather-gallery-pages - name: Run eslint @@ -41,8 +43,6 @@ jobs: run: yarn run lint:types - name: Run prettier run: yarn run lint:prettier - - name: Check for duplicate dependencies - run: yarn dedupe --check test: name: Run tests runs-on: ubuntu-latest From f7e2fb5271e4a1542b70f4213d88023acece3e9e Mon Sep 17 00:00:00 2001 From: Steve Repsher Date: Tue, 14 Feb 2023 17:30:09 +0000 Subject: [PATCH 6/6] Allow dependabot to rebase over dedupe commit --- .github/workflows/dedupe.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dedupe.yaml b/.github/workflows/dedupe.yaml index 74731dad590f..1734f7f05b0b 100644 --- a/.github/workflows/dedupe.yaml +++ b/.github/workflows/dedupe.yaml @@ -50,5 +50,5 @@ jobs: git config user.name "Home Assistant Committer" git config user.email "hello@home-assistant.io" git add yarn.lock - git commit -m "Deduplicate dependencies" || exit 0 + git commit -m "Deduplicate dependencies [dependabot skip]" || exit 0 git push origin "HEAD:${GITHUB_HEAD_REF}"