dependabot/fetch-metadata
2
0
Fork 0
mirror of https://github.com/dependabot/fetch-metadata.git synced 2026-03-13 18:17:13 -04:00
Code Issues Packages Projects Releases Wiki Activity
584 Commits 8 Branches 28 Tags
v1
Commit Graph

46 Commits

Author SHA1 Message Date
Jeff Widman
e21c9fbf3d Switch to the official action for managing app tokens (#504) 
Improve security by switching to the official GitHub action
for managing app tokens. More [details](https://github.com/tibdex/github-app-token/issues/99#issuecomment-1787602874).

The `repositories` key is safe to remove because per
the [docs](https://github.com/actions/create-github-app-token?tab=readme-ov-file#repositories):

> If owner and repositories are empty, access will be scoped to only the current repository.
 2024-03-21 01:25:10 -07:00
Jeff Widman
3e1bcb99a1 Scope app token to only this repo for security (#501) 
https://github.com/dependabot/fetch-metadata/pull/442 bumped to a new version
of this action which now supports a `"repositories"` key that scopes the token
to the designated repositories.
 2024-03-20 21:19:31 -07:00
dependabot[bot]
f9af96f1e7 Bump tibdex/github-app-token from 1.8.2 to 2.1.0 
Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.2 to 2.1.0.
- [Release notes](https://github.com/tibdex/github-app-token/releases)
- [Commits](0d49dd7211...3beb63f4bd)

---
updated-dependencies:
- dependency-name: tibdex/github-app-token
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-03-21 03:28:08 +00:00
dependabot[bot]
5bb91d5835 Bump actions/setup-node from 3 to 4 
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3 to 4.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-11-27 15:30:17 -08:00
dependabot[bot]
1c15625b1b Bump actions/checkout from 3 to 4 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-09-10 16:58:34 +00:00
dependabot[bot]
9243bcbec4 Bump tibdex/github-app-token from 1.8.0 to 1.8.2 
Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.0 to 1.8.2.
- [Release notes](https://github.com/tibdex/github-app-token/releases)
- [Commits](b62528385c...0d49dd7211)

---
updated-dependencies:
- dependency-name: tibdex/github-app-token
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-09-03 16:29:06 +00:00
Jeff Widman
06df9f85d6 Check for uncommitted files beyond dist/ directory (#278) 
This checks for _any_ delta in the git repo, not just the `dist/`
directory. Any change should fail CI until it's either committed or
added to `.gitignore`.

Additionally, I clarified the script name/code slightly to explain why
it's needed/handled separately from checking for uncommitted files.
 2023-07-25 16:18:05 +00:00
AbdulFattaah Popoola
f5e0b6a123 Aggressively group prod and dev dependencies 
Use wildcard matching to aggregate prod and dev updates into two separate groups
 2023-07-19 10:48:18 -07:00
AbdulFattaah Popoola
b1debf3fda Generate Dependabot PRs on Sundays weekly 
See discussion here: github/dependabot-updates#4400 (comment)
 2023-07-18 14:27:24 -07:00
Bryan Dragon
c75f584732 Update dependabot.yml 
Schedule weekly on Mondays at 16:00 UTC
 2023-07-06 16:09:07 -06:00
Jeff Widman
d1defa4769 Switch to using an app token instead of a PAT (#362) 
The app token will persist even as users come/go from the :dependabot:
team.

It also allows us more finegrained access controls from the app settings
page if we need to suddenly lockdown something, we don't have to rely on
the person who created the PAT.
 2023-05-23 18:01:02 -07:00
Jeff Widman
3077e54b98 Group :dependabot: PR's for eslint-related deps (#374) 
There are multiple deps that are `eslint`-related, and since they're all related to a linter, it's very safe to merge them as a single group.

So try kicking the tires on the new "grouping" feature that the :dependabot: team is working on.
 2023-05-22 10:15:05 -07:00
Jeff Widman
a2a3a43b4a Add workflow for floating the v1 tag to the latest release (#361) 
This adds a workflow for floating the `v1` tag to the latest release.

This way we reduce the chance of someone fat-fingering the necessary
`git` commands.
 2023-05-19 08:37:20 -07:00
Jeff Widman
6c5b8c2d48 Add workflow for creating release PR's (#360) 
Add a workflow for creating release PR's. This way we don't have to do
it locally, and we guarantee the `npm` version used to generate the
version bump is consistent and stays in-sync with the repo instead of
whatever the dev happened to have on their local computer.
 2023-05-18 11:56:46 -07:00
Jeff Widman
c40140bc51 Stop using deprecated set-output (#370) 
The initial impetus for this change was:
https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

However, it turns out the entire step is unnecesary since
`actions/setup-node` supports directly reading the `.nvmrc` file.
 2023-05-18 11:05:35 -07:00
Jeff Widman
4ada81eca0 Remove unused step (#358) 
The output of looking for metadata is never used in this workflow, so
delete the step.
 2023-05-17 10:49:26 -07:00
Jeff Widman
14d75f3862 No need to request escalated permissions for GITHUB_TOKEN (#357) 
Several of these job steps that use `GITHUB_TOKEN` are read-only
operations, so they don't need elevated permissions for the
`GITHUB_TOKEN`.

And the jobs that _do_ need elevated permissions we're already using a
PAT, so it's not even using the `GITHUB_TOKEN`.

So no need for any custom permissions on the `GITHUB_TOKEN` at all.
 2023-05-17 10:46:35 -07:00
Jeff Widman
597dd46738 Inline the PR URL (#359) 
I'm not sure why this went to the trouble of using an env token, I am
fairly sure this can be inlined.
 2023-05-17 10:32:42 -07:00
Jeff Widman
b3bc7993c0 Use the full email for the GitHub Actions bot (#354) 
This is an aesthetic tweak to let the proper avatar show up:
* https://github.com/orgs/community/discussions/26560
* https://github.com/actions/checkout/pull/1184
 2023-05-01 20:17:34 -07:00
Barry Gordon
2c14e91d87 Fix typo in build workflow 2022-04-20 11:10:47 +01:00
Barry Gordon
5566d3bb08 Avoid using actor 2022-04-20 10:04:52 +01:00
Barry Gordon
9a3ea4fc12 Correctly checkout the repository to use the local action 2022-04-20 09:59:02 +01:00
Barry Gordon
221b2c09c5 Prefer npm to NPM 
Co-authored-by: Jurre <jurre@github.com>
 2022-04-19 20:01:37 +01:00
Barry Gordon
a20aed188f Fix script path 2022-04-19 20:00:27 +01:00
Barry Gordon
a5e702392a Use a single automation PAT 2022-04-19 20:00:27 +01:00
Barry Gordon
f9682a0a6a Add a workflow to compile dist/ for Dependabot PRs 2022-04-19 20:00:27 +01:00
Barry Gordon
6790cb69ed Use a separate workflow to check the diff compilation 2022-04-19 20:00:26 +01:00
Barry Gordon
083b8484d8 Dependabot checks monthly, and checks GitHub Actions 2022-04-19 20:00:23 +01:00
Jack Bates
0caf82fe41 Default github-token 2022-02-23 09:57:53 -07:00
Barry Gordon
62295ac080 Execute automerges using a PAT 2022-02-21 21:07:12 +00:00
Barry Gordon
4f3ec532ac Allow CI to be built on demand 2022-02-21 17:53:57 +00:00
Michael Waddell
960d125896 Check PR Author instead of Action Actor 
closes issue #112
 2022-02-07 11:24:33 -06:00
Barry Gordon
01f7c47c95 Prefer node 16.x 2021-08-03 13:37:24 +01:00
Barry Gordon
4632eebdeb Automerge needs to checkout repo 2021-06-21 11:26:00 +01:00
Barry Gordon
0a6d9fa005 Merge pull request #29 from dependabot/brrygrdn/enable-auto-merge 
Enable auto-merge ourselves
 2021-06-07 12:26:05 +01:00
Barry Gordon
61c290e9b0 Fix wording for the new issue picker 2021-06-07 12:07:31 +01:00
Barry Gordon
65603acbe7 fix issue templates 2021-06-07 12:05:08 +01:00
Barry Gordon
5c38fd9a13 Rename issue templates 2021-06-07 12:01:43 +01:00
Barry Gordon
53da41479b Add some issue templates to route support 2021-06-07 11:59:42 +01:00
Barry Gordon
4bf7f88e3b Enable auto-merge ourselves 2021-06-07 11:09:22 +01:00
Barry Gordon
0871e821e3 Remove old integration test 2021-06-04 11:07:34 +01:00
Barry Gordon
0508b40071 Only run the integration test on Dependabot PRs for now 2021-06-01 14:52:37 +01:00
Barry Gordon
29bd4ae06e Create dependabot.yml 2021-05-26 18:00:50 +01:00
Barry Gordon
b4eba09477 Add an integration workflow file 2021-05-26 17:56:03 +01:00
Barry Gordon
77e6e637ae Add main.js as the action entry point 2021-05-26 17:45:19 +01:00
Barry Gordon
0d51a971f0 Add a class to verify dependabot prs/commits 
- Add ci config
 2021-05-26 17:17:18 +01:00