Actions: Config dependabot on PRs, Actions, Devcontainers (#446)

Updated directions for creating issues for dependabot PRs. Upgraded dependabot config to scan GitHub Actions on Dev containers. New workflow to run dependabot scans on PRs.
chaynHQ · Jun 7, 2024 · 2c7ea2e · 2c7ea2e
1 parent ac12681
commit 2c7ea2e
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 37 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,7 +1,5 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+# This file contains the configs for dependabot.
+# See for more info: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 
 version: 2
 updates:
@@ -11,5 +9,21 @@ updates:
       interval: "weekly"
       time: "09:00"
       timezone: "Europe/London"
-    target-branch: "develop"
-
+
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the default location of `.github/workflows`.
+    # (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      time: "09:00"
+      timezone: "Europe/London"
+
+  # Maintain dependencies for dev containers
+  - package-ecosystem: "devcontainers"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      time: "09:00"
+      timezone: "Europe/London"
diff --git a/.github/workflows/create-dependabot-issues.yml b/.github/workflows/create-dependabot-issues.yml
diff --git a/.github/workflows/dependabot-open-issues.yml b/.github/workflows/dependabot-open-issues.yml
@@ -0,0 +1,39 @@
+# This workflow opens issues for pull requests opened by dependabot.
+# See for more info: https://github.com/actions/dependency-review-action
+
+name: Open Dependabot Issues # from pull requests
+
+on:
+  pull_request:
+    types: [opened]
+    branches: [develop]
+
+jobs:
+  create-issue:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+    steps:
+      - name: Create issue
+        uses: actions-cool/issues-helper@v3
+        with:
+          actions: "create-issue"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          title: ${{ github.event.pull_request.title }}
+          body: |
+            ### Dependabot opened a pull request to update a dependency. Please review it: ${{ github.event.pull_request.html_url }} 
+            - [ ] Comment on this issue tagging Chayn staff (@kyleecodes) to be assigned this issue.
+            - [ ] If you are a Chayn volunteer, we will assign you as a reviewer to the PR after you've accepted an invite to join this repo as a collaborator.
+            - [ ] Review the pull request. Check dependency files (such as package.json) to verify that the dependency has not already been updated.
+            - [ ] See GitHub Docs below for guidance. Check the files changed, dependency review, and workflow test runs.
+            - [ ] Upgrade the dependency. Please research it instead of simply updating the version numbers, as some upgrades may require code changes.
+            - [ ] Verify tests and happy paths are functional by cloning the dependabot branch and running locally.
+            - [ ] Next, complete the pull request review if you a volunteer, or notify us in issue discussions that you are done reviewing the PR. 
+                - If the dependency upgrade does not pass tests or breaks the app, notify us in issue discussions, or in the pull request review if you're a volunteer. You may work on the required code changes or finish the review as is.
+                - If the dependency upgrade passes tests without breaking the app, notify us in the issue discussions, or approve the pull request if you are a volunteer. Then we'll get the PR merged!
+
+            ### Resources
+            - GitHub Docs - Reviewing Pull Requests with Dependency Updates: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-dependency-changes-in-a-pull-request
+            - GitHub Docs - Reviewing Pull Requests: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request
+          labels: "dependencies"
diff --git a/.github/workflows/dependabot-pr-review.yml b/.github/workflows/dependabot-pr-review.yml
@@ -0,0 +1,22 @@
+# This workflow enables dependency scans on pull requests.
+# When changes in dependencies are detected, it will raise an error
+# if any vulnerabilities or invalid licenses are introduced.
+# See for more info: https://github.com/actions/dependency-review-action
+
+name: "Dependency Review"
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@v4
+        with:
+          # fails when moderate vulnerabilities are deteched
+          fail-on-severity: moderate