This is an automated email from the ASF dual-hosted git repository.
ppkarwasz pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/logging-parent.git
The following commit(s) were added to refs/heads/main by this push:
new 2d294d4 feat: add `process-dependabot-reusable` workflow (Bash-based
alternative) (#419)
2d294d4 is described below
commit 2d294d41e966e745062ffa2aea300060aab49ccc
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Sat May 2 21:36:56 2026 +0200
feat: add `process-dependabot-reusable` workflow (Bash-based alternative)
(#419)
* feat: add `process-dependabot-reusable` workflow (Bash-based alternative)
This PR introduces a **reusable GitHub Actions workflow**,
`process-dependabot-reusable`, designed to streamline the handling of
Dependabot pull requests across repositories — implemented entirely with
**shell scripts**.
This serves as a Bash-based alternative to #418, which uses TypeScript.
### 🔄 Key Differences from #418
* **Trigger**: Runs on `pull_request_target` (not `push`), which is
required by the `dependabot/fetch-metadata` action.
* **Implementation**: Written using **standard POSIX tools** with a few
dependencies:
* **`bash`** – some Bash-specific constructs are used
* **`jq`** – for processing JSON output from `dependabot/fetch-metadata`
* **`xmlstarlet`** – for parsing `pom.xml` and generating a changelog XML
file
* **`git`** – to commit and push any changes
* **`gh`** – to enable "auto-merge" on the pull request
This approach avoids the Node.js/TypeScript toolchain and relies only on
standard CLI tools commonly available in CI environments.
* fix: Typos detected by Copilot
* fix: install `xmlstarlet`
* fix: replace `apt` with `apt-get`
The `apt` command is not recommended for scripting.
* feat: Split Dependabot workflow into privileged and unprivileged parts
This change splits the Dependabot automation into two reusable workflows:
* **Unprivileged workflow** (`analyze-dependabot-reusable`):
Runs on `pull_request` with no permissions. It analyzes Dependabot PRs
and generates metadata safely.
* **Privileged workflow** (`process-dependabot-reusable`):
Uses the metadata from the unprivileged step to generate changelog files
and enable the "auto-merge" option. Requires access to our GPG key and Personal
Access Token.
* fix: limit the number of tokens
* fix: drop all permissions by default
* Apply suggestions from code review
Co-authored-by: Volkan Yazıcı <[email protected]>
* fix: switch to `dependabot/fetch-metadata`
* fix: apply review suggestions
* fix: extract PR data from caller of `process-dependabot-reusable`
* fix: inline user-name and user-email
* fix: add `changelog-path` and remove `xmlstarlet`
* fix: sort inputs
* fix: filters on PR user
* fix: remove computable parameters
Removes the parameters that can be computed.
* fix: refactor XML escaping
* fix: debug `workflow_run` payload
* fix: remove license line
* fix: add comments to checks
* fix: check order
* fix: adapt to `ppkarwasz` organisation
* Bump Dependabot workflow dependencies
* Remove commit signing
* Modify preconditions
* Apply suggestions from code review
Co-authored-by: Copilot <[email protected]>
* Move Dependabot workflows to #473
This changes:
- Moves reusable workflows to the `gha/v0` branch (#473).
- Creates Dependabot workflows for `logging-parent`.
---------
Co-authored-by: Volkan Yazıcı <[email protected]>
Co-authored-by: dependabot[bot]
<49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Copilot <[email protected]>
---
.github/workflows/analyze-dependabot.yaml | 37 ++++++++++++++
.github/workflows/process-dependabot.yaml | 51 +++++++++++++++++++
src/changelog/.12.x.x/add-deploy-profile.xml | 10 ++++
.../modules/ROOT/examples/analyze-dependabot.yaml | 37 ++++++++++++++
.../modules/ROOT/examples/process-dependabot.yaml | 50 ++++++++++++++++++
src/site/antora/modules/ROOT/pages/workflows.adoc | 59 ++++++++++++++++++++++
6 files changed, 244 insertions(+)
diff --git a/.github/workflows/analyze-dependabot.yaml
b/.github/workflows/analyze-dependabot.yaml
new file mode 100644
index 0000000..326f870
--- /dev/null
+++ b/.github/workflows/analyze-dependabot.yaml
@@ -0,0 +1,37 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: "Dependabot Analyze PR"
+
+on:
+ pull_request:
+
+# Default permissions for each job.
+# Additional permissions should be assigned on a per-job basis.
+permissions: { }
+
+jobs:
+
+ analyze-dependabot:
+ # `github.actor` prevents recursive calls when `github-actions[bot]`
pushes to the PR;
+ # `github.event.pull_request.user.login` skips PRs not opened by
Dependabot.
+ if: ${{
+ github.repository == 'apache/logging-parent'
+ && github.actor == 'dependabot[bot]'
+ && github.event.pull_request.user.login == 'dependabot[bot]'
+ }}
+ uses:
apache/logging-parent/.github/workflows/analyze-dependabot-reusable.yaml@gha/v0
diff --git a/.github/workflows/process-dependabot.yaml
b/.github/workflows/process-dependabot.yaml
new file mode 100644
index 0000000..02ec23a
--- /dev/null
+++ b/.github/workflows/process-dependabot.yaml
@@ -0,0 +1,51 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: "Dependabot Process PR"
+
+on:
+ workflow_run:
+ workflows:
+ - "Dependabot Analyze PR"
+ types:
+ - completed
+
+# Default permissions for each job.
+# Additional permissions should be assigned on a per-job basis.
+permissions: { }
+
+jobs:
+
+ process-dependabot:
+ # Skip this workflow on commits not pushed by Dependabot
+ if: ${{
+ github.repository == 'apache/logging-parent'
+ && github.actor == 'dependabot[bot]'
+ && github.event.workflow_run.conclusion == 'success'
+ }}
+ uses:
apache/logging-parent/.github/workflows/process-dependabot-reusable.yaml@gha/v0
+ permissions:
+ # The default GITHUB_TOKEN will be used to enable the "auto-merge" on
the PR
+ # This requires the following two permissions:
+ contents: write
+ pull-requests: write
+ secrets:
+ # This token will be used to push new content to the repo and trigger
workflows again
+ RECURSIVE_TOKEN: ${{ secrets.DEPENDABOT_TOKEN }}
+ with:
+ # The path to the changelog directory for the current development branch.
+ changelog-path: src/changelog/.12.x.x
diff --git a/src/changelog/.12.x.x/add-deploy-profile.xml
b/src/changelog/.12.x.x/add-deploy-profile.xml
new file mode 100644
index 0000000..a34ffff
--- /dev/null
+++ b/src/changelog/.12.x.x/add-deploy-profile.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xmlns="https://logging.apache.org/xml/ns";
+ xsi:schemaLocation="https://logging.apache.org/xml/ns
https://logging.apache.org/xml/ns/log4j-changelog-0.xsd";
+ type="added">
+ <issue id="417" link="https://github.com/apache/logging-parent/issues/417"/>
+ <description format="asciidoc">
+ Added `process-dependabot-reusable` to handle Dependabot PRs under RTC
restrictions.
+ </description>
+</entry>
diff --git a/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml
b/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml
new file mode 100644
index 0000000..c1a0d97
--- /dev/null
+++ b/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml
@@ -0,0 +1,37 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: "Dependabot Analyze PR"
+
+on:
+ pull_request:
+
+permissions: { }
+
+jobs:
+
+# tag::analyze-dependabot[]
+ analyze-dependabot:
+ # `github.actor` prevents recursive calls when `github-actions[bot]`
pushes to the PR;
+ # `github.event.pull_request.user.login` skips PRs not opened by
Dependabot.
+ if: ${{
+ github.repository == 'apache/logging-parent'
+ && github.actor == 'dependabot[bot]'
+ && github.event.pull_request.user.login == 'dependabot[bot]'
+ }}
+ uses:
apache/logging-parent/.github/workflows/analyze-dependabot-reusable.yaml@{project-gha-version}
+# end::analyze-dependabot[]
diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml
b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml
new file mode 100644
index 0000000..077a581
--- /dev/null
+++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml
@@ -0,0 +1,50 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: "Dependabot Process PR"
+
+on:
+ workflow_run:
+ workflows:
+ - "Dependabot Analyze PR"
+ types:
+ - completed
+
+permissions: { }
+
+jobs:
+
+# tag::process-dependabot[]
+ process-dependabot:
+ # Skip this workflow on commits not pushed by Dependabot
+ if: ${{
+ github.repository == 'apache/logging-parent'
+ && github.actor == 'dependabot[bot]'
+ && github.event.workflow_run.conclusion == 'success'
+ }}
+ uses:
apache/logging-parent/.github/workflows/process-dependabot-reusable.yaml@{project-gha-version}
+ permissions:
+ # The default GITHUB_TOKEN will be used to enable the "auto-merge" on
the PR
+ # This requires the following two permissions:
+ contents: write
+ pull-requests: write
+ secrets:
+ RECURSIVE_TOKEN: ${{ secrets.DEPENDABOT_TOKEN }}
+ with:
+ # The path to the changelog directory for the current development branch.
+ changelog-path: src/changelog/.2.x.x
+# end::process-dependabot[]
diff --git a/src/site/antora/modules/ROOT/pages/workflows.adoc
b/src/site/antora/modules/ROOT/pages/workflows.adoc
index cb55de7..2fbb7dd 100644
--- a/src/site/antora/modules/ROOT/pages/workflows.adoc
+++ b/src/site/antora/modules/ROOT/pages/workflows.adoc
@@ -102,6 +102,65 @@ To verify the reproducibility of a release, you can use:
include::example$build.yaml[tag=verify-reproducibility-release,indent=0]
----
+[#analyze-dependabot]
+==
{project-github-url}/blob/{project-gha-version}/.github/workflows/analyze-dependabot-reusable.yaml[`analyze-dependabot-reusable.yaml`]
+
+Analyzes Dependabot pull requests to collect detailed information about
updated dependencies.
+Stores the results in the `dependabot-metadata` artifact,
+which is later consumed by the <<process-dependabot>> workflow to automate
changelog generation and PR processing.
+
+[NOTE]
+====
+This workflow must be triggered by an event that includes the `pull_request`
payload and does not require any privileges.
+It can then be used in a `pull_request` workflow.
+====
+
+.Snippet from an {examples-base-link}/analyze-dependabot.yaml[example
`analyze-dependabot.yaml`] using this workflow
+[source,yaml,subs=+attributes]
+----
+include::example$analyze-dependabot.yaml[tag=analyze-dependabot,indent=0]
+----
+
+[#process-dependabot]
+==
{project-github-url}/blob/{project-gha-version}/.github/workflows/process-dependabot-reusable.yaml[`process-dependabot-reusable.yaml`]
+
+Helps to process Dependabot pull requests by:
+
+* Generating changelog entries for the updated dependencies.
+* Enabling the "auto-merge" option for the pull request.
+
+The workflow needs the following privileged tokens:
+
+`GITHUB_TOKEN`::
+The default GitHub token with `contents:write` and `pull-requests: write`
permissions,
+used to enable auto-merge on pull requests.
++
+This token is automatically provided by GitHub Actions, but needs to be
configured in the `permissions` property.
+
+`RECURSIVE_TOKEN`::
+A GitHub token required to push generated changelog files as a new commit to
the repository.
+The default `GITHUB_TOKEN` can **not** be used,
+as it will not trigger required check runs and will prevent the pull request
from being merged.
+A Personal Access Token (PAT) with `contents:write` permission must be
provided instead.
++
+The token must be passed as a secret named `RECURSIVE_TOKEN`.
+
+This workflow is designed to be triggered by the `workflow_run` event,
+as soon as the <<analyze-dependabot>> workflow completes.
+
+[NOTE]
+====
+When this workflow is triggered by `workflow_run`,
+GitHub Actions uses the "Actions" secret context instead of "Dependabot"
secrets,
+even if the `github.actor` is `dependabot[bot]`.
+====
+
+.Snippet from an {examples-base-link}/process-dependabot.yaml[example
`process-dependabot.yaml`] using this workflow
+[source,yaml,subs=+attributes]
+----
+include::example$process-dependabot.yaml[tag=process-dependabot,indent=0]
+----
+
[#deploy-site]
==
{project-github-url}/blob/{project-gha-version}/.github/workflows/deploy-site-reusable.yaml[`deploy-site-reusable.yaml`]
