Add repo-config auto-migration workflow#56
Conversation
Sync the repo-config migration workflow from v0.16.0 and update Dependabot grouping for repo-config and mkdocstrings. This lets repo-config Dependabot PRs use the migration workflow correctly by matching the expected template and avoiding wildcard issues with optional dependencies. Signed-off-by: Leandro Lucarella <[email protected]>
github-actions
bot
added
the
part:tooling
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow intended to automatically run repo-config migrations for Dependabot “repo-config” grouped PRs, and adjusts Dependabot grouping/exclusions to align with the upstream frequenz-repo-config-python template.
Changes:
- Add
.github/workflows/repo-config-migration.yamlto perform automated repo-config migrations on Dependabot PRs. - Update
.github/dependabot.ymlgrouping/exclusion patterns forfrequenz-repo-configandmkdocstrings(including extras).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/repo-config-migration.yaml | Introduces a migration workflow for Dependabot repo-config group PRs using pull_request_target and an app token. |
| .github/dependabot.yml | Refines grouping/exclusion patterns so repo-config and mkdocstrings updates are grouped and handled as intended. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # don't need to actually run the job, having the job present as Skipped is | ||
| # enough. | ||
| if: | | ||
| github.event_name == 'pull_request_target' && |
There was a problem hiding this comment.
The job is running on pull_request_target with repo write permissions and access to secrets, but the job-level if: condition does not enforce github.actor == 'dependabot[bot]'. That means any PR author can set a matching title and trigger the workflow with elevated permissions. Add an explicit actor (and/or PR author) check to the if: condition (or gate the sensitive steps) to match the security expectations documented in the header comment.
| github.event_name == 'pull_request_target' && | |
| github.event_name == 'pull_request_target' && | |
| github.actor == 'dependabot[bot]' && |
| # The companion auto-dependabot workflow skips repo-config group PRs so | ||
| # they're handled exclusively by the migration workflow. |
There was a problem hiding this comment.
The header comment mentions a “companion auto-dependabot workflow” skipping repo-config group PRs, but there is no such workflow in this repository. Either add the referenced companion workflow or update the comment to point to the actual mechanism in this repo that ensures repo-config group PRs are handled exclusively by this migration workflow.
| # The companion auto-dependabot workflow skips repo-config group PRs so | |
| # they're handled exclusively by the migration workflow. | |
| # Repo-config group Dependabot PRs are handled exclusively by this | |
| # migration workflow: the job below is gated on the PR title containing | |
| # "the repo-config group", so only those PRs are processed. |
Summary
repo-config-migration.yamlwith the exactfrequenz-repo-config-pythonv0.16.0templatefrequenz-repo-configandmkdocstrings