GithubHelp home page GithubHelp logo

makeshift / generate-dependabot-glob-action Goto Github PK

View Code? Open in Web Editor NEW
17.0 2.0 4.0 456 KB

Generates a `dependabot.yml` and PRs it against your repo if it needs updating to include a new directory or package-ecosystem, with globs/wildcards

JavaScript 98.58% Dockerfile 0.97% HCL 0.45%
dependabot dependency-management github-actions

generate-dependabot-glob-action's Introduction

Generate Dependabot Glob Action

This action creates a dependabot.yml file from a user-provided template by replacing instances of directory globs with an array of objects matching that glob, with all the other keys copied.

For example, the following template:

  - package-ecosystem: 'docker'
    directory: '/test/docker/*/Dockerfile*'
    schedule:
      interval: 'daily'

Will result in:

  - package-ecosystem: 'docker'
    directory: '/test/docker/container_1/'
    schedule:
      interval: 'daily'
  - package-ecosystem: 'docker'
    directory: '/test/docker/container_2/'
    schedule:
      interval: 'daily'
  - package-ecosystem: 'docker'
    directory: '/test/docker/weird_dockerfile/'
    schedule:
      interval: 'daily'

Note that the basename of any matching directory is used as the value.

This action uses the glob node module. Refer to its documentation for more information on the glob syntax.

The default configuration for glob is as follows:

const globOpts = {
  root: process.cwd(),
  mark: true,
  matchBase: true,
  nomount: true,
  follow: core.getInput('follow-symbolic-links') === 'true'
}

If these options are not sufficient, please open an issue and let me know.

Quickstart

Create a .github/dependabot.template.yml file

This is just a normal dependabot.yml file, but with globs/wildcards in the directory field. Note that comments will not be transferred to the generated file.

version: 2

updates:
- package-ecosystem: 'github-actions'
  # No globs
  directory: '/'
  schedule:
    interval: 'daily'

- package-ecosystem: 'docker'
  # Simple globs
  directory: '/test/docker/*/Dockerfile*'
  schedule:
    interval: 'weekly'

- package-ecosystem: 'npm'
  # Simple glob + extglob
  directory: '/test/npm/*/{package-lock.json,yarn.lock}'
  ignore:
    - dependency-name: '*'
  schedule:
    interval: 'daily'

- package-ecosystem: 'terraform'
  # Searches the entire tree, but only matches files with the given name
  # This actually outputs without a leading slash, but dependabot doesn't seem to care
  # Note the . is escaped, node-glob doesn't search hidden files by default
  directory: '\.terraform.lock.hcl'
  commit-message:
    prefix: 'terraform'
  schedule:
    interval: 'weekly'

Create a .github/workflows/generate_dependabot.yml file

The action does not create a PR or otherwise commit the generated file, so we can use another action like peter-evans/create-pull-request to do that.

name: Generate dependabot.yml

on:
  push:
  repository_dispatch:
  workflow_dispatch:

jobs:
  generate:
    runs-on: ubuntu-latest
    steps:
      
      - uses: actions/checkout@v3
        
      - name: Generate dependabot.yml
        uses: Makeshift/generate-dependabot-glob-action@master

      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v4

Done. Now, whenever you push to the repository, or manually trigger the workflow, a PR will be created with the generated dependabot.yml file matching your wildcards if they've changed.

Inputs

parameter description required default
template-file Location of the file to use as template false .github/dependabot.template.yml
follow-symbolic-links Indicates whether to follow symbolic links (If you want to put your template in a weird place) false true
file-header Header to add to the generated file. ${input-name} will be replaced with the value of the given input. false # This file was generated by the "Generate Dependabot Glob" action. Do not edit it directly. # Make changes to ${template-file} and a PR will be automatically created.

generate-dependabot-glob-action's People

Contributors

dependabot[bot] avatar florianmutter avatar makeshift avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

nwhobart jhongturney github pure0stelme

generate-dependabot-glob-action's Issues

Any way to ignore a directory?

First off thanks for this workflow. Really appreciate it. I have a folder structure that looks similar to:

โžœ ls
README.md modules   test1     test2     test3

is there any way to transform this so i can ignore the modules directory entirely?:

- package-ecosystem: 'terraform'
  directory: '*/\.terraform.lock.hcl'
  commit-message:
    prefix: 'terraform'
  schedule:
    interval: 'weekly'

I have tried following a pattern as given in the glob docs

// all js files, but don't look in node_modules
const jsfiles = await glob('**/*.js', { ignore: 'node_modules/**' })

However I get errors on the run:

YAMLException: bad indentation of a mapping entry (11:51)


 11 |  ... erraform.lock.hcl, { ignore: 'modules/**' }'
-----------------------------------------^
 12 |  ... 
 13 |  ... rm'
    at generateError (/runner/_work/_actions/Makeshift/generate-dependabot-glob-action/master/dist/index.js:6344:10)
    at throwError (/runner/_work/_actions/Makeshift/generate-dependabot-glob-action/master/dist/index.js:6348:9)
    at readBlockMapping (/runner/_work/_actions/Makeshift/generate-dependabot-glob-action/master/dist/index.js:7343:7)
    at composeNode (/runner/_work/_actions/Makeshift/generate-dependabot-glob-action/master/dist/index.js:7602:12)
    at readBlockSequence (/runner/_work/_actions/Makeshift/generate-dependabot-glob-action/master/dist/index.js:7169:5)
    at composeNode (/runner/_work/_actions/Makeshift/generate-dependabot-glob-action/master/dist/index.js:7633:45)
    at readBlockMapping (/runner/_work/_actions/Makeshift/generate-dependabot-glob-action/master/dist/index.js:7325:11)
    at composeNode (/runner/_work/_actions/Makeshift/generate-dependabot-glob-action/master/dist/index.js:7602:12)
    at readDocument (/runner/_work/_actions/Makeshift/generate-dependabot-glob-action/master/dist/index.js:7786:3)
    at loadDocuments (/runner/_work/_actions/Makeshift/generate-dependabot-glob-action/master/dist/index.js:7849:5) {
  reason: 'bad indentation of a mapping entry',
  mark: {
    name: null,
    buffer: 'version: 2\n' +
      '\n' +
      'updates:\n' +
      "- package-ecosystem: 'github-actions'\n" +
      '  # No globs\n' +
      "  directory: '/'\n" +
      '  schedule:\n' +
      "    interval: 'daily'\n" +
      '\n' +
      "- package-ecosystem: 'terraform'\n" +
      "  directory: '**/\\.terraform.lock.hcl, { ignore: 'modules/**' }'\n" +
      '  commit-message:\n' +
      "    prefix: 'terraform'\n" +
      '  schedule:\n' +
      "    interval: 'weekly'\n",
    position: 207,
    line: 10,
    column: 50,
    snippet: "  8 |  ... '\n" +
      '  9 |  ... \n' +
      " 10 |  ...  'terraform'\n" +
      " 11 |  ... erraform.lock.hcl, { ignore: 'modules/**' }'\n" +
      '-----------------------------------------^\n' +
      ' 12 |  ... \n' +
      " 13 |  ... rm'"
  }
}
Error: bad indentation of a mapping entry (11:51)

Any thoughts on if what I'm trying to do is possible?

Looking for maintainers?

Hello ๐Ÿ‘‹

It looks like this excellent action could use a little love, even just the basics like approving dependabot updates. I use this pretty frequently and would like to see it just kept up-to-date, even if we don't have much time to get to new features. Are you interested in a helping hand?

Inject comment in generated file

A lot of my org is aware of Dependabot, and it's easily "googleable". Dependabot file generation is not yet. It would be really useful to me to allow the generator to inject a (customizable?) header on the generated file that indicates, Do not modify this file directly; modify dependabot.template.yaml. The motivation is that further generations of SRE / DevOps / Engineers / etc. can avoid the mistake of changing the generated file directly, and losing those changes when this action runs at a later time.

I could put such a message in the template file directly, but it feels awkward to put a message there that says "don't change this file, change (the same) file".

In practice, the common case would be that when the generate-dependable-glob-action GHA workflow creates a PR, and that PR shows overwritten changes, but it feels like that could be an avoidable frustration for whomever is managing the PR.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.