Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add workflow job to deduplicate dependabot pull requests #14845

Closed
wants to merge 9 commits into from
Closed

Add workflow job to deduplicate dependabot pull requests #14845

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
49e2230
Add workflow job to deduplicate dependabot pull requests
steverep Dec 20, 2022
9974559
Update bash style to quote variables and use [[ and $()
steverep Dec 21, 2022
555c43c
Merge dev and pin action versions
steverep Dec 27, 2022
2fdb6f1
Merge dev to bump action versions
steverep Jan 9, 2023
de03c96
Revise to use separate workflow with GitHub app
steverep Feb 6, 2023
7c1b2e0
Add concurrency rules to cancel workflows in progress
steverep Feb 6, 2023
bb6fb5f
Move dedupe check up to fail faster
steverep Feb 6, 2023
6ba567c
Merge branch 'dev' into dependabot-dedupe
steverep Feb 14, 2023
f7e2fb5
Allow dependabot to rebase over dedupe commit
steverep Feb 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions .github/workflows/dedupe.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Deduplicate Dependabot
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even with this being split out in a separate workflow, I still do not think this is something we should add.

If this is an issue, that should be documented and reported to GitHub.
We should not add this level of workarounds, that to me, at least clearly show that something is wrong with how it works.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with @ludeeus on this.

As an alternative could be: Don't use dependabot for this task.
An alternative could be, for example, Renovate. That is a competitor to dependabot that can actually dedupe (if configured as such).

../Frenck

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renovate seems like a nice option

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree Renovate is probably the better option for HA. In addition to being able to dedupe, it also handles monorepos much better, which has also been annoying from dependabot.

Closing this, but for posterity bringing it up to date and also added a simple change which addresses @ludeeus's concern about dependabot losing its rebase capability when committing the dedupe.

I'll submit a request to install Renovate and would be happy to work on the config PR.


on:
push:
branches:
- dependabot/npm_and_yarn/*

env:
NODE_VERSION: 16
NODE_OPTIONS: --max_old_space_size=6144

permissions:
contents: write

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
dedupe:
name: Deduplicate dependencies
# Only trigger on initial commit from dependabot
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- name: Generate app token
# Use a GitHub app to checkout and commit in order to re-trigger the CI workflow
# (because actions with GITHUB_TOKEN do not trigger new events)
id: generate_token
uses: tibdex/github-app-token@v1.7.0
with:
app_id: ${{ secrets.HA_COMMITTER_APP_ID }}
private_key: ${{ secrets.HA_COMMITTER_PRIVATE_KEY }}
Comment on lines +32 to +33
Copy link
Member Author

@steverep steverep Feb 6, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@balloob I'm about to transfer ownership of a simple GH app with content permissions. Could you:

  1. Add a couple secrets for the App ID (not client ID) and private key with these names? You'll have to generate a new private key and delete the existing one.
  2. Install the app in the frontend repo?

- name: Check out files from GitHub
uses: actions/checkout@v3.3.0
with:
token: ${{ steps.generate_token.outputs.token }}
- name: Set up Node ${{ env.NODE_VERSION }}
uses: actions/setup-node@v3.6.0
with:
node-version: ${{ env.NODE_VERSION }}
cache: yarn
- name: Install dependencies
# Do not run build scripts as a security measure since job has write permissions
run: yarn install --immutable --mode=skip-build
- name: Deduplicate dependencies
run: yarn dedupe --mode=skip-build
- name: Commit changes
run: |
git config user.name "Home Assistant Committer"
git config user.email "hello@home-assistant.io"
git add yarn.lock
git commit -m "Deduplicate dependencies [dependabot skip]" || exit 0
git push origin "HEAD:${GITHUB_HEAD_REF}"