-
Notifications
You must be signed in to change notification settings - Fork 25
57 lines (52 loc) · 2.48 KB
/
dependabot.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Dependabot Workflow
# This workflow commits to Dependabot branches to ensure that the corresponding
# PRs can satisfy all status checks.
# WARNING: Combining pull_request_target workflow trigger with an explicit
# checkout of an untrusted PR is a dangerous practice that may lead to
# repository compromise.
# See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
# To prevent repository compromise, the workflow jobs must only execute on PRs
# opened by Dependabot and which are labelled correctly (note that these two
# checks are somewhat redundant since labelling PRs require write access to the
# repository).
# An alternative is to use the "two-workflow method" (see
# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#handling-push-events),
# but that is more tedious to configure and should not be required here.
on:
pull_request_target:
types: [labeled, synchronize]
permissions:
contents: write
jobs:
# This job ensures that "go mod tidy" is run for all Go modules included in
# this repository.
tidy:
name: Go tidiness for Dependabot PR
# 'dependencies' and 'go' are the default labels used by Dependabot when updating Go dependencies
if: ${{ github.actor == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies') && contains(github.event.pull_request.labels.*.name, 'go') }}
runs-on: [ubuntu-latest]
steps:
- uses: actions/checkout@v4
with:
# Check out the pull request HEAD
ref: ${{ github.event.pull_request.head.sha }}
token: ${{ secrets.ANTREA_BOT_WRITE_PAT }}
- name: Set up Go using version from go.mod
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache-dependency-path: '**/go.sum'
- name: Run go mod tidy
# the checks above (Github actor and PR labels) ensure that a malicious
# actor cannot open a PR with a modified "tidy" Makefile target and
# execute arbitrary code with write access and access to secrets. In
# particular, someone would need write access to the repo to add the
# "dependencies" and "go" labels.
run: make tidy
- name: Commit changes
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: Go tidiness for Dependabot PR
commit_options: '--no-verify'
file_pattern: '**/go.mod **/go.sum'
disable_globbing: false