This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch feat/dependabot-add-changelog2 in repository https://gitbox.apache.org/repos/asf/logging-parent.git
commit 57f5ae9cfd4bf9961b8e487b593464be14f2ed37 Author: Piotr P. Karwasz <[email protected]> AuthorDate: Mon Jun 16 14:39:57 2025 +0200 feat: add `process-dependabot-reusable` workflow (Bash-based alternative) This PR introduces a **reusable GitHub Actions workflow**, `process-dependabot-reusable`, designed to streamline the handling of Dependabot pull requests across repositories — implemented entirely with **shell scripts**. This serves as a Bash-based alternative to #418, which uses TypeScript. ### 🔄 Key Differences from #418 * **Trigger**: Runs on `pull_request_target` (not `push`), which is required by the `dependabot/fetch-metadata` action. * **Implementation**: Written using **standard POSIX tools** with a few dependencies: * **`bash`** – some Bash-specific constructs are used * **`jq`** – for processing JSON output from `dependabot/fetch-metadata` * **`xmlstarlet`** – for parsing `pom.xml` and generating a changelog XML file * **`git`** – to commit and push any changes * **`gh`** – to enable "auto-merge" on the pull request This approach avoids the Node.js/TypeScript toolchain and relies only on standard CLI tools commonly available in CI environments. --- .github/workflows/merge-dependabot.yaml | 42 ------ .github/workflows/process-dependabot-reusable.yaml | 150 +++++++++++++++++++++ src/changelog/.12.x.x/add-deploy-profile.xml | 10 ++ .../modules/ROOT/examples/process-dependabot.yaml | 45 +++++++ src/site/antora/modules/ROOT/pages/workflows.adoc | 15 ++- 5 files changed, 217 insertions(+), 45 deletions(-) diff --git a/.github/workflows/merge-dependabot.yaml b/.github/workflows/merge-dependabot.yaml deleted file mode 100644 index 2d611cc..0000000 --- a/.github/workflows/merge-dependabot.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: merge-dependabot - -on: - pull_request_target: - paths-ignore: - - "**.adoc" - - "**.md" - - "**.txt" - -permissions: read-all - -jobs: - - build: - if: github.repository == 'apache/logging-parent' && github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]' - uses: ./.github/workflows/build-reusable.yaml - - merge-dependabot: - needs: build - uses: ./.github/workflows/merge-dependabot-reusable.yaml - permissions: - contents: write # to push changelog commits - pull-requests: write # to close the PR - secrets: - GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} # to sign commits diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml new file mode 100644 index 0000000..8214640 --- /dev/null +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -0,0 +1,150 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: Dependabot Process PR + +on: + workflow_call: + inputs: + user_name: + description: The name of the user to use for the commit + default: 'ASF Logging Services RM' + type: string + user_email: + description: The email of the user to use for the commit + default: '[email protected]' + type: string + ref: + description: The branch, tag or SHA to checkout + default: ${{ github.ref }} + type: string + secrets: + AUTO_MERGE_TOKEN: + description: GitHub token to enable auto-merge on PR + required: true + CONTENT_WRITE_TOKEN: + description: GitHub token to push changes + required: true + GPG_PASSPHRASE: + description: GPG passphrase for signing commits + required: false + GPG_PRIVATE_KEY: + description: GPG secret key for signing commits + required: true + +jobs: + + generate-changelog: + # Skip this workflow on commits not pushed by Dependabot + if: ${{ github.actor == 'dependabot[bot]' }} + runs-on: ubuntu-latest + + steps: + + - name: Fetch Dependabot metadata + id: dependabot + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # 2.4.0 + with: + github-token: ${{ github.token }} + + - name: Check out repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 + with: + ref: ${{ inputs.ref }} + token: ${{ secrets.CONTENT_WRITE_TOKEN }} + + # + - name: Find the release version major + shell: bash + run: | + revision=$( + xmlstarlet sel \ + -N m=http://maven.apache.org/POM/4.0.0 \ + --template --value-of /m:project/m:properties/m:revision \ + pom.xml + ) + if [[ ! $revision =~ ^[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT)?$ ]]; then + echo "Invalid version format: $version" + exit 1 + fi + parts=(${revision//./ }) + echo "RELEASE_VERSION_MAJOR=${parts[0]}" >> $GITHUB_ENV + + - name: Create changelog entries + shell: bash + env: + PR_ID: ${{ github.event.pull_request.number }} + PR_URL: ${{ github.event.pull_request.html_url }} + RELEASE_VERSION_MAJOR: ${{ env.RELEASE_VERSION_MAJOR }} + UPDATED_DEPENDENCIES: ${{ steps.dependabot.outputs.updated-dependencies-json }} + run: | + function generate_changelog_entry() { + local dependency="$1" + local dependency_name=$(echo "$dependency" | jq -r '.dependencyName' | xmlstarlet esc) + local new_version=$(echo "$dependency" | jq -r '.newVersion' | xmlstarlet esc) + local issue_id=$(xmlstarlet esc "$PR_ID") + local issue_link=$(xmlstarlet esc "$PR_URL") + cat << CHANGELOG_ENTRY + <?xml version="1.0" encoding="UTF-8"?> + <!-- SPDX-License-Identifier: Apache-2.0 --> + <entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns="https://logging.apache.org/xml/ns"; + xsi:schemaLocation="https://logging.apache.org/xml/ns https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"; + type="updated"> + <issue id="$issue_id" link="$issue_link"/> + <description format="asciidoc">Update \`$dependency_name\` to version \`$new_version\`.</description> + </entry> + CHANGELOG_ENTRY + } + # Ensure the changelog directory exists + release_changelog_path="src/changelog/.${RELEASE_VERSION_MAJOR}.x.x" + mkdir -p "$release_changelog_path" + cd "$release_changelog_path" + # Generate the changelog entries for each updated dependency + echo $UPDATED_DEPENDENCIES | jq --compact-output '.[]' | while read -r dependency; do + # Extract the dependency name and version + dependency_name=$(echo "$dependency" | jq -r '.dependencyName') + changelog_file_name=$(echo "update_${dependency_name,,}.xml" | sed -r -e 's/[^a-z0-9.-]/_/g' -e 's/_+/_/g') + generate_changelog_entry "$dependency" > "$changelog_file_name" + done + + - name: Set up GPG + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # 6.3.0 + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + + - name: Add & commit changes + shell: bash + env: + COMMIT_MSG: "Generate changelog entries for PR #${{ github.event.pull_request.number }}" + USER_NAME: ${{ inputs.user_name }} + USER_EMAIL: ${{ inputs.user_email }} + run: | + git add src/changelog + git config user.name "$USER_NAME" + git config user.email "$USER_EMAIL" + git commit -S -m "$COMMIT_MSG" + git push origin + + - name: Enable auto-merge on PR + shell: bash + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ github.token }} + run: | + gh pr merge --squash --auto "$PR_HTML_URL" diff --git a/src/changelog/.12.x.x/add-deploy-profile.xml b/src/changelog/.12.x.x/add-deploy-profile.xml new file mode 100644 index 0000000..a34ffff --- /dev/null +++ b/src/changelog/.12.x.x/add-deploy-profile.xml @@ -0,0 +1,10 @@ +<?xml version="1.0" encoding="UTF-8"?> +<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns="https://logging.apache.org/xml/ns"; + xsi:schemaLocation="https://logging.apache.org/xml/ns https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"; + type="added"> + <issue id="417" link="https://github.com/apache/logging-parent/issues/417"/> + <description format="asciidoc"> + Added `process-dependabot-reusable` to handle Dependabot PRs under RTC restrictions. + </description> +</entry> diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml new file mode 100644 index 0000000..6f7d204 --- /dev/null +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -0,0 +1,45 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: Dependabot Process PR + +on: + pull_request_target: {} + +permissions: read-all + +jobs: + +# tag::process-dependabot[] + process-dependabot: + # Skip this workflow on commits not pushed by Dependabot + if: ${{ github.actor == 'dependabot[bot]' }} + uses: apache/logging-parent/.github/workflows/process-dependabot-reusable.yaml@rel/{project-version} + permissions: + # The default GITHUB_TOKEN will be used to enable the "auto-merge" on the PR + pull-requests: write + secrets: + AUTO_MERGE_TOKEN: ${{ github.token }} + CONTENT_WRITE_TOKEN: ${{ secrets.DEPENDABOT_TOKEN }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + with: + user_name: 'Release Manager' + user_email: [email protected] + # Necessary to let the reusable workflow reference itself + reusable_ref: rel/{project-version} +# end::process-dependabot[] diff --git a/src/site/antora/modules/ROOT/pages/workflows.adoc b/src/site/antora/modules/ROOT/pages/workflows.adoc index e9ed9f9..2369dd3 100644 --- a/src/site/antora/modules/ROOT/pages/workflows.adoc +++ b/src/site/antora/modules/ROOT/pages/workflows.adoc @@ -104,10 +104,19 @@ To verify the reproducibility of a release, you can use: include::example$build.yaml[tag=verify-reproducibility-release,indent=0] ---- -[#merge-dependabot] -== {project-github-url}/blob/main/.github/workflows/merge-dependabot-reusable.yaml[`merge-dependabot-reusable.yaml`] +[#process-dependabot] +== {project-github-url}/blob/main/.github/workflows/process-dependabot-reusable.yaml[`process-dependabot-reusable.yaml`] -Merges Dependabot PRs along with changelog entries. +Helps to process Dependabot pull requests by: + +* Generating changelog entries for the updated dependencies. +* Enabling the "auto-merge" option for the pull request. + +.Snippet from an {examples-base-link}/process-dependabot.yaml[example `process-dependabot.yaml`] using this workflow +[source,yaml,subs=+attributes] +---- +include::example$process-dependabot.yaml[tag=process-dependabot,indent=0] +---- [#deploy-site] == {project-github-url}/blob/main/.github/workflows/deploy-site-reusable.yaml[`deploy-site-reusable.yaml`]
