mirror of
https://github.com/astral-sh/setup-uv.git
synced 2026-03-10 08:42:21 +00:00
2ff70eebcc
## Summary - keep the Dependabot build workflow single-job, but harden it a bit - replace `git-auto-commit-action` with explicit `git` commands and step-scoped push auth - add concurrency, a timeout, stricter Dependabot gating, and a guard for moved PR heads ## Why The workflow currently fails in the commit step because `actions/checkout` uses `persist-credentials: false`, but `git-auto-commit-action` later tries to push via `origin` without any credentials: ``` fatal: could not read Username for 'https://github.com': No such device or address ``` This change fixes that failure while keeping credentials scoped to the push step instead of persisting them for the whole job. ## Details - require `github.event.pull_request.user.login == 'dependabot[bot]'` - also require the PR head repo to match `github.repository` - also require the head ref to start with `dependabot/` - check out the exact PR head SHA - run `npm ci --ignore-scripts` - disable git hooks before commit - skip the dist commit if the PR head moved during the run ## Validation - `actionlint .github/workflows/dependabot-build.yml`
68 lines
2.1 KiB
YAML
68 lines
2.1 KiB
YAML
name: Dependabot Build
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, synchronize, reopened]
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
if: >-
|
|
github.event.pull_request.user.login == 'dependabot[bot]' &&
|
|
github.event.pull_request.head.repo.full_name == github.repository &&
|
|
startsWith(github.head_ref, 'dependabot/')
|
|
timeout-minutes: 15
|
|
steps:
|
|
- name: Checkout PR branch
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
persist-credentials: false
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
|
|
with:
|
|
node-version-file: .nvmrc
|
|
cache: npm
|
|
|
|
- name: Install dependencies
|
|
run: npm ci --ignore-scripts
|
|
|
|
- name: Build and test
|
|
run: npm run all
|
|
|
|
- name: Commit built dist
|
|
env:
|
|
EXPECTED_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
|
git config --local core.hooksPath /dev/null
|
|
|
|
git fetch --no-tags --depth=1 origin "${GITHUB_HEAD_REF}"
|
|
if [ "$(git rev-parse FETCH_HEAD)" != "${EXPECTED_HEAD_SHA}" ]; then
|
|
echo "::notice::Skipping dist commit because ${GITHUB_HEAD_REF} moved after the workflow started."
|
|
exit 0
|
|
fi
|
|
|
|
git add --all dist/
|
|
|
|
if git diff --cached --quiet; then
|
|
echo "No dist changes to commit."
|
|
exit 0
|
|
fi
|
|
|
|
git commit -m "Build dist for Dependabot update"
|
|
|
|
auth="$(printf 'x-access-token:%s' "$GITHUB_TOKEN" | base64 | tr -d '\n')"
|
|
git -c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${auth}" \
|
|
push origin "HEAD:${GITHUB_HEAD_REF}"
|