Conversation
✅ Deploy Preview for docssigstore ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Enable weekly dependency scanning for npm and GitHub Actions. Auto-merge patch and minor updates via squash when CI passes. Major version bumps still require manual review. Signed-off-by: Patrick Smyth <patrick.smyth@chainguard.dev>
smythp
force-pushed
the
add-dependabot-automerge
branch
from
e85e1e8 to
c48a2be
Compare
| @@ -0,0 +1,21 @@ | |||
| version: 2 | |||
| updates: | |||
| - package-ecosystem: "npm" | |||
There was a problem hiding this comment.
Can we add a cooldown period, given the frequency of npm package compromises?
| jobs: | ||
| dependabot: | ||
| runs-on: ubuntu-latest | ||
| if: github.actor == 'dependabot[bot]' |
There was a problem hiding this comment.
https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions#enabling-automerge-on-a-pull-request suggests using github.event.pull_request.user.login rather than github.actor, can we use that? I'm guessing that makes this more resistant to impersonation attempts?
|
|
||
| - name: Enable auto-merge for patch and minor updates | ||
| if: steps.metadata.outputs.update-type != 'version-update:semver-major' | ||
| run: gh pr merge --auto --squash "$PR_URL" |
There was a problem hiding this comment.
I'm not 100% sure this will work, as we have the repo configured to require a review from someone who isn't the submitter. If this does work, I think we'll need another step to approve the PR too since we require PR approval before merging.
3 participants
Enables weekly dependency scanning for npm and GitHub Actions. Auto-merge patch and minor updates via squash when CI passes. Major version bumps still require manual review.
cc @Hayden-IO this doesn't come up too much on this repo but should save a little work over time