Update dependabot auto-merge workflow to work with recent GitHub chan…

…ges (#719)
ioBroker · Apr 5, 2021 · 893e490 · 893e490
1 parent a75479a
commit 893e490
Show file tree

Hide file tree

Showing 12 changed files with 57 additions and 10 deletions.
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
@@ -4,7 +4,9 @@
 name: Auto-Merge Dependabot PRs
 
 on:
-  pull_request:
+  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
+  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+  pull_request_target:
 
 jobs:
   auto-merge:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@
 ## __WORK IN PROGRESS__
 * (AlCalzone) The generated `io-package.json` files are now validated with the official JSON schema during tests (#711)
 * (UncleSamSwiss) Source code refactoring for web based create-adapter application (#716)
+* (AlCalzone) Update Dependabot auto-merge workflow to work with recent GitHub changes (#719) · [Migration guide](docs/updates/20210405_automerge_fixes.md)
 
 ## 1.32.0 (2021-03-09)
 * (AlCalzone) Update Readme: remove snyk.io badge, use https (#655)

diff --git a/docs/updates/20210405_automerge_fixes.md b/docs/updates/20210405_automerge_fixes.md
@@ -0,0 +1,17 @@
+# Update Dependabot auto-merge workflow to work with recent GitHub changes
+
+GitHub recently changed the permissions for workflow triggered by Dependabot PRs: https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+
+To handle these changes, edit the workflow file `.github/workflows/dependabot-auto-merge.yml` as follows:
+
+```diff
+on:
+-  pull_request:
++  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
++  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
++  pull_request_target:
+
+jobs:
+  auto-merge:
++    if: github.actor == 'dependabot[bot]'
+```
diff --git a/templates/_github/workflows/dependabot-auto-merge.raw.yml b/templates/_github/workflows/dependabot-auto-merge.raw.yml
@@ -4,10 +4,13 @@
 name: Auto-Merge Dependabot PRs
 
 on:
-  pull_request:
+  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
+  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+  pull_request_target:
 
 jobs:
   auto-merge:
+    if: github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

diff --git a/...t_TypeChecking_Spaces_SingleQuotes_Apache-2.0/.github/workflows/dependabot-auto-merge.yml b/...t_TypeChecking_Spaces_SingleQuotes_Apache-2.0/.github/workflows/dependabot-auto-merge.yml
@@ -4,10 +4,13 @@
 name: Auto-Merge Dependabot PRs
 
 on:
-  pull_request:
+  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
+  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+  pull_request_target:
 
 jobs:
   auto-merge:
+    if: github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

diff --git a/...t_TypeChecking_Spaces_SingleQuotes_Apache-2.0/.github/workflows/dependabot-auto-merge.yml b/...t_TypeChecking_Spaces_SingleQuotes_Apache-2.0/.github/workflows/dependabot-auto-merge.yml
@@ -4,10 +4,13 @@
 name: Auto-Merge Dependabot PRs
 
 on:
-  pull_request:
+  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
+  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+  pull_request_target:
 
 jobs:
   auto-merge:
+    if: github.actor == 'dependabot[bot]'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

diff --git a/test/baselines/adapter_JS_React/.github/workflows/dependabot-auto-merge.yml b/test/baselines/adapter_JS_React/.github/workflows/dependabot-auto-merge.yml
@@ -4,10 +4,13 @@
 name: Auto-Merge Dependabot PRs
 
 on:
-  pull_request:
+  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
+  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+  pull_request_target:
 
 jobs:
   auto-merge:
+	if: github.actor == 'dependabot[bot]'
 	runs-on: ubuntu-latest
 	steps:
 	  - name: Checkout code

diff --git a/...pter_TS_ES6Class_ESLint_Tabs_DoubleQuotes_MIT/.github/workflows/dependabot-auto-merge.yml b/...pter_TS_ES6Class_ESLint_Tabs_DoubleQuotes_MIT/.github/workflows/dependabot-auto-merge.yml
@@ -4,10 +4,13 @@
 name: Auto-Merge Dependabot PRs
 
 on:
-  pull_request:
+  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
+  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+  pull_request_target:
 
 jobs:
   auto-merge:
+	if: github.actor == 'dependabot[bot]'
 	runs-on: ubuntu-latest
 	steps:
 	  - name: Checkout code

diff --git a/...lines/adapter_TS_ESLint_Tabs_DoubleQuotes_MIT/.github/workflows/dependabot-auto-merge.yml b/...lines/adapter_TS_ESLint_Tabs_DoubleQuotes_MIT/.github/workflows/dependabot-auto-merge.yml
@@ -4,10 +4,13 @@
 name: Auto-Merge Dependabot PRs
 
 on:
-  pull_request:
+  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
+  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+  pull_request_target:
 
 jobs:
   auto-merge:
+	if: github.actor == 'dependabot[bot]'
 	runs-on: ubuntu-latest
 	steps:
 	  - name: Checkout code

diff --git a/test/baselines/adapter_TS_React/.github/workflows/dependabot-auto-merge.yml b/test/baselines/adapter_TS_React/.github/workflows/dependabot-auto-merge.yml
@@ -4,10 +4,13 @@
 name: Auto-Merge Dependabot PRs
 
 on:
-  pull_request:
+  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
+  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+  pull_request_target:
 
 jobs:
   auto-merge:
+	if: github.actor == 'dependabot[bot]'
 	runs-on: ubuntu-latest
 	steps:
 	  - name: Checkout code

diff --git a/test/baselines/vis_Widget/.github/workflows/dependabot-auto-merge.yml b/test/baselines/vis_Widget/.github/workflows/dependabot-auto-merge.yml
@@ -4,10 +4,13 @@
 name: Auto-Merge Dependabot PRs
 
 on:
-  pull_request:
+  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
+  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+  pull_request_target:
 
 jobs:
   auto-merge:
+	if: github.actor == 'dependabot[bot]'
 	runs-on: ubuntu-latest
 	steps:
 	  - name: Checkout code

diff --git a/test/baselines/vis_Widget_Travis/.github/workflows/dependabot-auto-merge.yml b/test/baselines/vis_Widget_Travis/.github/workflows/dependabot-auto-merge.yml
@@ -4,10 +4,13 @@
 name: Auto-Merge Dependabot PRs
 
 on:
-  pull_request:
+  # WARNING: This needs to be run in the PR base, DO NOT build untrusted code in this action
+  # details under https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
+  pull_request_target:
 
 jobs:
   auto-merge:
+	if: github.actor == 'dependabot[bot]'
 	runs-on: ubuntu-latest
 	steps:
 	  - name: Checkout code