feat: add process-dependabot-reusable workflow#418
Closed
Conversation
Adds a reusable GitHub Actions workflow (`process-dependabot-reusable`) to streamline handling of Dependabot PRs across repositories. * **Generates changelog entries** for each updated dependency, ensuring consistent documentation of version bumps. * **Enables auto-merge** to merge the PR once it has been reviewed and all required checks pass, reducing manual overhead for routine updates. This workflow helps enforce update standards while automating repetitive tasks, supporting smoother and more consistent dependency management.
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a reusable GitHub Actions workflow to automate Dependabot PR processing, including changelog generation and auto-merging.
- Adds a changelog template entry for the new workflow
- Updates the Maven build config to ignore
node_modules - Creates
.github/workflows/process-dependabot-reusable.yamland removes the old merge workflow - Implements a custom
generate-dependabot-changelogaction with its supporting code and tests
Reviewed Changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/changelog/.12.x.x/add-deploy-profile.xml | Adds a changelog entry for the new deploy profile |
| pom.xml | Excludes node_modules from license checks |
| .github/workflows/process-dependabot-reusable.yaml | Defines the reusable Dependabot workflow |
| .github/workflows/merge-dependabot.yaml | Removes the old merge-dependabot workflow |
| .github/actions/generate-dependabot-changelog/tsconfig.json | TypeScript config for the custom action |
| .github/actions/generate-dependabot-changelog/src/pull_request.ts | Fetches associated PR for a commit |
| .github/actions/generate-dependabot-changelog/src/pull_request.test.ts | Tests for getAssociatedPullRequest |
| .github/actions/generate-dependabot-changelog/src/maven.ts | Parses project version from pom.xml |
| .github/actions/generate-dependabot-changelog/src/maven.test.ts | Tests for version parsing |
| .github/actions/generate-dependabot-changelog/src/main.ts | Main action logic (generate entries) |
| .github/actions/generate-dependabot-changelog/src/main.test.ts | Tests for the main action |
| .github/actions/generate-dependabot-changelog/src/dependabot.ts | Extracts dependency metadata from commit message |
| .github/actions/generate-dependabot-changelog/src/dependabot.test.ts | Tests for metadata extraction |
| .github/actions/generate-dependabot-changelog/src/changelog.ts | Builds XML changelog entries |
| .github/actions/generate-dependabot-changelog/src/changelog.test.ts | Tests for XML generation |
| .github/actions/generate-dependabot-changelog/package.json | Declares dependencies and scripts |
| .github/actions/generate-dependabot-changelog/jest.config.js | Jest configuration for the action |
| .github/actions/generate-dependabot-changelog/eslint.config.mjs | ESLint configuration |
| .github/actions/generate-dependabot-changelog/action.yml | Action metadata (inputs/outputs) |
| .github/actions/generate-dependabot-changelog/README.md | Documentation for the custom action |
Comments suppressed due to low confidence (2)
src/changelog/.12.x.x/add-deploy-profile.xml:8
- The description references
process-dependabot-workflowbut the new workflow is namedprocess-dependabot-reusable. Update the name to match the actual workflow.
Added `process-dependabot-workflow` to handle Dependabot PRs under RTC restrictions.
.github/workflows/process-dependabot-reusable.yaml:118
- The auto-merge step defines
AUTO_MERGE_TOKENas an input but usesGH_TOKEN: ${{ github.token }}. It should use the providedAUTO_MERGE_TOKEN(secrets.AUTO_MERGE_TOKEN) to ensure the correct token is applied.
env:
.github/actions/generate-dependabot-changelog/src/pull_request.test.ts
Outdated
Show resolved
Hide resolved
.github/actions/generate-dependabot-changelog/src/maven.test.ts
Outdated
Show resolved
Hide resolved
ppkarwasz
added a commit
that referenced
this pull request
Jun 22, 2025
…ive) This PR introduces a **reusable GitHub Actions workflow**, `process-dependabot-reusable`, designed to streamline the handling of Dependabot pull requests across repositories — implemented entirely with **shell scripts**. This serves as a Bash-based alternative to #418, which uses TypeScript. ### 🔄 Key Differences from #418 * **Trigger**: Runs on `pull_request_target` (not `push`), which is required by the `dependabot/fetch-metadata` action. * **Implementation**: Written using **standard POSIX tools** with a few dependencies: * **`bash`** – some Bash-specific constructs are used * **`jq`** – for processing JSON output from `dependabot/fetch-metadata` * **`xmlstarlet`** – for parsing `pom.xml` and generating a changelog XML file * **`git`** – to commit and push any changes * **`gh`** – to enable "auto-merge" on the pull request This approach avoids the Node.js/TypeScript toolchain and relies only on standard CLI tools commonly available in CI environments.
Contributor
Author
|
Now that I am fully satisfied by #419, we can close this PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a reusable GitHub Actions workflow (
process-dependabot-reusable) to streamline handling of Dependabot PRs across repositories.This workflow helps enforce update standards while automating repetitive tasks, supporting smoother and more consistent dependency management.