build(deps): bump the github-actions group with 2 updates #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Linuxfabrik: Dependabot auto-merge' | |
| on: | |
| pull_request: {} | |
| permissions: 'read-all' | |
| env: | |
| # Lockfiles that have no `directory:` entry in `.github/dependabot.yml` | |
| # because upstream packages keep raising their minimum Python. Dependabot | |
| # security updates ignore that allowlist, so a bump can still show up here. | |
| FROZEN_LOCKFILES: '["/lockfiles/py39", "/lockfiles/py310"]' | |
| jobs: | |
| auto-merge: | |
| runs-on: 'ubuntu-latest' | |
| if: 'github.actor == ''dependabot[bot]''' | |
| permissions: | |
| contents: 'write' | |
| pull-requests: 'write' | |
| steps: | |
| - uses: 'dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98' # v3.1.0 | |
| id: 'meta' | |
| # A bump against a frozen lockfile is left open for a human. Dependabot | |
| # does not honour `Requires-Python`, so it may propose a version that | |
| # drops the interpreter the lockfile exists for (py39 -> RHEL 8, RHEL 9, | |
| # Debian 11; py310 -> Ubuntu 22.04). It may equally propose a security | |
| # fix that still supports it. Only a human can tell the two apart, so | |
| # the PR is neither merged nor closed. Regenerate the lockfile with | |
| # `pip-compile` on a matching Python host once the bump is accepted. | |
| - if: >- | |
| contains(fromJSON(env.FROZEN_LOCKFILES), steps.meta.outputs.directory) | |
| && github.event.action == 'opened' | |
| run: | | |
| gh pr comment "$PR_URL" --body "Not auto-merged: \`${DIRECTORY}\` is frozen because Dependabot does not honour \`Requires-Python\`. Check whether \`${DEPENDENCY}\` still supports that lockfile's interpreter. If it does, regenerate the lockfile with \`pip-compile\` on a matching Python host. Either way, close this PR afterwards." | |
| env: | |
| DEPENDENCY: '${{ steps.meta.outputs.dependency-names }}' | |
| DIRECTORY: '${{ steps.meta.outputs.directory }}' | |
| GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' | |
| PR_URL: '${{ github.event.pull_request.html_url }}' | |
| - if: >- | |
| !contains(fromJSON(env.FROZEN_LOCKFILES), steps.meta.outputs.directory) | |
| && (steps.meta.outputs.update-type == 'version-update:semver-patch' | |
| || steps.meta.outputs.update-type == 'version-update:semver-minor') | |
| run: 'gh pr merge --auto --squash "$PR_URL"' | |
| env: | |
| GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' | |
| PR_URL: '${{ github.event.pull_request.html_url }}' |