Skip to content
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,11 @@ updates:
interval: daily
time: "22:30"
timezone: "Europe/Berlin"
open-pull-requests-limit: 1000
open-pull-requests-limit: 10
groups:
github-actions:
patterns:
- "*"
labels:
- "in progress"
- "dependencies"
Expand All @@ -15,3 +19,13 @@ updates:
directory: /
schedule:
interval: daily
time: "22:45"
timezone: "Europe/Berlin"
open-pull-requests-limit: 10
groups:
python-packages:
patterns:
- "*"
labels:
- "in progress"
- "dependencies"
39 changes: 39 additions & 0 deletions .github/workflows/dependabot-auto-merge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Dependabot auto-merge

on:
pull_request_target:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use a trigger that preserves Dependabot write access

For Dependabot PRs (the only PRs allowed by this job), this pull_request_target trigger leaves ${{ secrets.GITHUB_TOKEN }} read-only: GitHub's Dependabot-on-Actions docs state that Dependabot-initiated pull_request_target runs for Dependabot-created PRs get a read-only token and no secrets. As a result, the later gh pr merge --auto cannot enable auto-merge despite the contents: write block, so the new auto-merge workflow will fail for every intended PR; use the pull_request pattern from GitHub's Dependabot auto-merge docs or authenticate the merge step with an explicit App/PAT token.

Useful? React with 👍 / 👎.

branches: [main]
types: [opened, synchronize, reopened, ready_for_review]
workflow_dispatch:

permissions:
contents: write
pull-requests: write

concurrency:
group: dependabot-auto-merge-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

jobs:
auto-merge:
name: Auto-merge safe Dependabot updates
if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.draft == false }}

Check failure on line 20 in .github/workflows/dependabot-auto-merge.yml

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Workflows should not rely on forgeable GitHub context values to trust events

See more on https://sonarcloud.io/project/issues?id=Ludy87_pyxplora_api&issues=AZ74TuvIdUtZRCY7DutB&open=AZ74TuvIdUtZRCY7DutB&pullRequest=362
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit

- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Enable auto-merge for patch and minor updates
if: ${{ contains(fromJSON('["version-update:semver-patch", "version-update:semver-minor"]'), steps.metadata.outputs.update-type) }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_URL: ${{ github.event.pull_request.html_url }}
run: gh pr merge --auto --squash "$PR_URL"
21 changes: 14 additions & 7 deletions .github/workflows/pythonpackage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ on:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:

concurrency:
group: python-package-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read
Expand All @@ -29,23 +34,25 @@ jobs:
python-version: ${{ matrix.python-version }}
check-latest: true
cache: "pip"
cache-dependency-path: requirements.txt
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install -e .
pip install black build flake8 pytest twine
- name: Lint with flake8
run: |
pip install flake8
# stop the build if there are Python syntax errors or undefined names
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --ignore=E501,E266,E202,E201,E301
# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
flake8 . --count --exit-zero --max-complexity=20 --max-line-length=127 --statistics --ignore=E501,E266,E202,E201,E301
- name: formatting with black
run: |
pip install black
black --line-length=127 --check .
- name: Check formatting with black
run: black --line-length=127 --check .
- name: Test with pytest
run: pytest -q
- name: Check package build
if: ${{ matrix.python-version == '3.13' }}
run: |
pip install pytest
# pytest
python -m build
twine check dist/*
Loading