From 57f5ae9cfd4bf9961b8e487b593464be14f2ed37 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Mon, 16 Jun 2025 14:39:57 +0200 Subject: [PATCH 01/25] feat: add `process-dependabot-reusable` workflow (Bash-based alternative) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR introduces a **reusable GitHub Actions workflow**, `process-dependabot-reusable`, designed to streamline the handling of Dependabot pull requests across repositories — implemented entirely with **shell scripts**. This serves as a Bash-based alternative to #418, which uses TypeScript. ### 🔄 Key Differences from #418 * **Trigger**: Runs on `pull_request_target` (not `push`), which is required by the `dependabot/fetch-metadata` action. * **Implementation**: Written using **standard POSIX tools** with a few dependencies: * **`bash`** – some Bash-specific constructs are used * **`jq`** – for processing JSON output from `dependabot/fetch-metadata` * **`xmlstarlet`** – for parsing `pom.xml` and generating a changelog XML file * **`git`** – to commit and push any changes * **`gh`** – to enable "auto-merge" on the pull request This approach avoids the Node.js/TypeScript toolchain and relies only on standard CLI tools commonly available in CI environments. --- .github/workflows/merge-dependabot.yaml | 42 ----- .../process-dependabot-reusable.yaml | 150 ++++++++++++++++++ src/changelog/.12.x.x/add-deploy-profile.xml | 10 ++ .../ROOT/examples/process-dependabot.yaml | 45 ++++++ .../antora/modules/ROOT/pages/workflows.adoc | 15 +- 5 files changed, 217 insertions(+), 45 deletions(-) delete mode 100644 .github/workflows/merge-dependabot.yaml create mode 100644 .github/workflows/process-dependabot-reusable.yaml create mode 100644 src/changelog/.12.x.x/add-deploy-profile.xml create mode 100644 src/site/antora/modules/ROOT/examples/process-dependabot.yaml diff --git a/.github/workflows/merge-dependabot.yaml b/.github/workflows/merge-dependabot.yaml deleted file mode 100644 index 2d611cc1..00000000 --- a/.github/workflows/merge-dependabot.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to you under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -name: merge-dependabot - -on: - pull_request_target: - paths-ignore: - - "**.adoc" - - "**.md" - - "**.txt" - -permissions: read-all - -jobs: - - build: - if: github.repository == 'apache/logging-parent' && github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]' - uses: ./.github/workflows/build-reusable.yaml - - merge-dependabot: - needs: build - uses: ./.github/workflows/merge-dependabot-reusable.yaml - permissions: - contents: write # to push changelog commits - pull-requests: write # to close the PR - secrets: - GPG_SECRET_KEY: ${{ secrets.LOGGING_GPG_SECRET_KEY }} # to sign commits diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml new file mode 100644 index 00000000..82146407 --- /dev/null +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -0,0 +1,150 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: Dependabot Process PR + +on: + workflow_call: + inputs: + user_name: + description: The name of the user to use for the commit + default: 'ASF Logging Services RM' + type: string + user_email: + description: The email of the user to use for the commit + default: 'private@logging.apache.org' + type: string + ref: + description: The branch, tag or SHA to checkout + default: ${{ github.ref }} + type: string + secrets: + AUTO_MERGE_TOKEN: + description: GitHub token to enable auto-merge on PR + required: true + CONTENT_WRITE_TOKEN: + description: GitHub token to push changes + required: true + GPG_PASSPHRASE: + description: GPG passphrase for signing commits + required: false + GPG_PRIVATE_KEY: + description: GPG secret key for signing commits + required: true + +jobs: + + generate-changelog: + # Skip this workflow on commits not pushed by Dependabot + if: ${{ github.actor == 'dependabot[bot]' }} + runs-on: ubuntu-latest + + steps: + + - name: Fetch Dependabot metadata + id: dependabot + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # 2.4.0 + with: + github-token: ${{ github.token }} + + - name: Check out repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 + with: + ref: ${{ inputs.ref }} + token: ${{ secrets.CONTENT_WRITE_TOKEN }} + + # + - name: Find the release version major + shell: bash + run: | + revision=$( + xmlstarlet sel \ + -N m=http://maven.apache.org/POM/4.0.0 \ + --template --value-of /m:project/m:properties/m:revision \ + pom.xml + ) + if [[ ! $revision =~ ^[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT)?$ ]]; then + echo "Invalid version format: $version" + exit 1 + fi + parts=(${revision//./ }) + echo "RELEASE_VERSION_MAJOR=${parts[0]}" >> $GITHUB_ENV + + - name: Create changelog entries + shell: bash + env: + PR_ID: ${{ github.event.pull_request.number }} + PR_URL: ${{ github.event.pull_request.html_url }} + RELEASE_VERSION_MAJOR: ${{ env.RELEASE_VERSION_MAJOR }} + UPDATED_DEPENDENCIES: ${{ steps.dependabot.outputs.updated-dependencies-json }} + run: | + function generate_changelog_entry() { + local dependency="$1" + local dependency_name=$(echo "$dependency" | jq -r '.dependencyName' | xmlstarlet esc) + local new_version=$(echo "$dependency" | jq -r '.newVersion' | xmlstarlet esc) + local issue_id=$(xmlstarlet esc "$PR_ID") + local issue_link=$(xmlstarlet esc "$PR_URL") + cat << CHANGELOG_ENTRY + + + + + Update \`$dependency_name\` to version \`$new_version\`. + + CHANGELOG_ENTRY + } + # Ensure the changelog directory exists + release_changelog_path="src/changelog/.${RELEASE_VERSION_MAJOR}.x.x" + mkdir -p "$release_changelog_path" + cd "$release_changelog_path" + # Generate the changelog entries for each updated dependency + echo $UPDATED_DEPENDENCIES | jq --compact-output '.[]' | while read -r dependency; do + # Extract the dependency name and version + dependency_name=$(echo "$dependency" | jq -r '.dependencyName') + changelog_file_name=$(echo "update_${dependency_name,,}.xml" | sed -r -e 's/[^a-z0-9.-]/_/g' -e 's/_+/_/g') + generate_changelog_entry "$dependency" > "$changelog_file_name" + done + + - name: Set up GPG + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # 6.3.0 + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + + - name: Add & commit changes + shell: bash + env: + COMMIT_MSG: "Generate changelog entries for PR #${{ github.event.pull_request.number }}" + USER_NAME: ${{ inputs.user_name }} + USER_EMAIL: ${{ inputs.user_email }} + run: | + git add src/changelog + git config user.name "$USER_NAME" + git config user.email "$USER_EMAIL" + git commit -S -m "$COMMIT_MSG" + git push origin + + - name: Enable auto-merge on PR + shell: bash + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ github.token }} + run: | + gh pr merge --squash --auto "$PR_HTML_URL" diff --git a/src/changelog/.12.x.x/add-deploy-profile.xml b/src/changelog/.12.x.x/add-deploy-profile.xml new file mode 100644 index 00000000..a34fffff --- /dev/null +++ b/src/changelog/.12.x.x/add-deploy-profile.xml @@ -0,0 +1,10 @@ + + + + + Added `process-dependabot-reusable` to handle Dependabot PRs under RTC restrictions. + + diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml new file mode 100644 index 00000000..6f7d2042 --- /dev/null +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -0,0 +1,45 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: Dependabot Process PR + +on: + pull_request_target: {} + +permissions: read-all + +jobs: + +# tag::process-dependabot[] + process-dependabot: + # Skip this workflow on commits not pushed by Dependabot + if: ${{ github.actor == 'dependabot[bot]' }} + uses: apache/logging-parent/.github/workflows/process-dependabot-reusable.yaml@rel/{project-version} + permissions: + # The default GITHUB_TOKEN will be used to enable the "auto-merge" on the PR + pull-requests: write + secrets: + AUTO_MERGE_TOKEN: ${{ github.token }} + CONTENT_WRITE_TOKEN: ${{ secrets.DEPENDABOT_TOKEN }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + with: + user_name: 'Release Manager' + user_email: manager@example.com + # Necessary to let the reusable workflow reference itself + reusable_ref: rel/{project-version} +# end::process-dependabot[] diff --git a/src/site/antora/modules/ROOT/pages/workflows.adoc b/src/site/antora/modules/ROOT/pages/workflows.adoc index e9ed9f90..2369dd3d 100644 --- a/src/site/antora/modules/ROOT/pages/workflows.adoc +++ b/src/site/antora/modules/ROOT/pages/workflows.adoc @@ -104,10 +104,19 @@ To verify the reproducibility of a release, you can use: include::example$build.yaml[tag=verify-reproducibility-release,indent=0] ---- -[#merge-dependabot] -== {project-github-url}/blob/main/.github/workflows/merge-dependabot-reusable.yaml[`merge-dependabot-reusable.yaml`] +[#process-dependabot] +== {project-github-url}/blob/main/.github/workflows/process-dependabot-reusable.yaml[`process-dependabot-reusable.yaml`] -Merges Dependabot PRs along with changelog entries. +Helps to process Dependabot pull requests by: + +* Generating changelog entries for the updated dependencies. +* Enabling the "auto-merge" option for the pull request. + +.Snippet from an {examples-base-link}/process-dependabot.yaml[example `process-dependabot.yaml`] using this workflow +[source,yaml,subs=+attributes] +---- +include::example$process-dependabot.yaml[tag=process-dependabot,indent=0] +---- [#deploy-site] == {project-github-url}/blob/main/.github/workflows/deploy-site-reusable.yaml[`deploy-site-reusable.yaml`] From 305af056453db7f783d7e43f712e8ac962c7ecbb Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Sun, 22 Jun 2025 11:34:49 +0200 Subject: [PATCH 02/25] fix: Typos detected by Copilot --- .github/workflows/process-dependabot-reusable.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 82146407..eaf8187c 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -78,7 +78,7 @@ jobs: pom.xml ) if [[ ! $revision =~ ^[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT)?$ ]]; then - echo "Invalid version format: $version" + echo "Invalid version format: $revision" exit 1 fi parts=(${revision//./ }) @@ -115,7 +115,7 @@ jobs: mkdir -p "$release_changelog_path" cd "$release_changelog_path" # Generate the changelog entries for each updated dependency - echo $UPDATED_DEPENDENCIES | jq --compact-output '.[]' | while read -r dependency; do + echo "$UPDATED_DEPENDENCIES" | jq --compact-output '.[]' | while read -r dependency; do # Extract the dependency name and version dependency_name=$(echo "$dependency" | jq -r '.dependencyName') changelog_file_name=$(echo "update_${dependency_name,,}.xml" | sed -r -e 's/[^a-z0-9.-]/_/g' -e 's/_+/_/g') @@ -147,4 +147,4 @@ jobs: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ github.token }} run: | - gh pr merge --squash --auto "$PR_HTML_URL" + gh pr merge --squash --auto "$PR_URL" From 32fe3615628a6fec61d07ba85006f62d0575ae68 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Sun, 22 Jun 2025 12:02:12 +0200 Subject: [PATCH 03/25] fix: install `xmlstarlet` --- .github/workflows/process-dependabot-reusable.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index eaf8187c..9f4b338b 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -67,7 +67,10 @@ jobs: ref: ${{ inputs.ref }} token: ${{ secrets.CONTENT_WRITE_TOKEN }} - # + - name: Install `xmlstarlet` + shell: bash + run: sudo apt update && sudo apt install -y xmlstarlet + - name: Find the release version major shell: bash run: | From 59ea4d2493ad83dcf58180fec610ecc9f72f3728 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Sun, 22 Jun 2025 12:05:02 +0200 Subject: [PATCH 04/25] fix: replace `apt` with `apt-get` The `apt` command is not recommended for scripting. --- .github/workflows/process-dependabot-reusable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 9f4b338b..a976cd54 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -69,7 +69,7 @@ jobs: - name: Install `xmlstarlet` shell: bash - run: sudo apt update && sudo apt install -y xmlstarlet + run: sudo apt-get update && sudo apt-get install -y xmlstarlet - name: Find the release version major shell: bash From 27bd89985575ffaccbc20b72158ead5f41a429ed Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Tue, 24 Jun 2025 09:04:51 +0200 Subject: [PATCH 05/25] feat: Split Dependabot workflow into privileged and unprivileged parts This change splits the Dependabot automation into two reusable workflows: * **Unprivileged workflow** (`analyze-dependabot-reusable`): Runs on `pull_request` with no permissions. It analyzes Dependabot PRs and generates metadata safely. * **Privileged workflow** (`process-dependabot-reusable`): Uses the metadata from the unprivileged step to generate changelog files and enable the "auto-merge" option. Requires access to our GPG key and Personal Access Token. --- .../analyze-dependabot-reusable.yaml | 55 +++++++++++++++++ .../process-dependabot-reusable.yaml | 60 ++++++++++++------- .../ROOT/examples/analyze-dependabot.yaml | 32 ++++++++++ .../ROOT/examples/process-dependabot.yaml | 24 +++++--- .../antora/modules/ROOT/pages/workflows.adoc | 41 +++++++++++++ 5 files changed, 183 insertions(+), 29 deletions(-) create mode 100644 .github/workflows/analyze-dependabot-reusable.yaml create mode 100644 src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml new file mode 100644 index 00000000..a23fad51 --- /dev/null +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -0,0 +1,55 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: Dependabot Analyze PR + +on: + workflow_call: + +jobs: + + analyze-pull-request: + # Skip this workflow on commits not pushed by Dependabot + if: ${{ github.actor == 'dependabot[bot]' }} + runs-on: ubuntu-latest + + steps: + + - name: Fetch Dependabot metadata + id: dependabot + uses: ppkarwasz/fetch-metadata@feat/multi-versions + with: + github-token: ${{ github.token }} + + # + # Stores the data required by the process-dependabot-reusable workflow as JSON files. + # + - name: Create artifacts + shell: bash + env: + PULL_REQUEST: ${{ toJSON(github.event.pull_request) }} + UPDATED_DEPENDENCIES: ${{ steps.dependabot.outputs.updated-dependencies-json }} + run: | + mkdir -p dependabot-metadata + echo "$PULL_REQUEST" > dependabot-metadata/pull_request.json + echo "$UPDATED_DEPENDENCIES" > dependabot-metadata/updated_dependencies.json + + - name: Upload artifacts + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2 + with: + name: dependabot-metadata + path: dependabot-metadata diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index a976cd54..ecb38ea9 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -20,18 +20,18 @@ name: Dependabot Process PR on: workflow_call: inputs: - user_name: + user-name: description: The name of the user to use for the commit default: 'ASF Logging Services RM' type: string - user_email: + user-email: description: The email of the user to use for the commit default: 'private@logging.apache.org' type: string - ref: - description: The branch, tag or SHA to checkout - default: ${{ github.ref }} - type: string + analyze-workflow-run-id: + description: The ID of the workflow run that analyzed the PR + required: true + type: number secrets: AUTO_MERGE_TOKEN: description: GitHub token to enable auto-merge on PR @@ -56,15 +56,36 @@ jobs: steps: - name: Fetch Dependabot metadata - id: dependabot - uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # 2.4.0 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # 4.3.0 with: github-token: ${{ github.token }} + name: dependabot-metadata + path: ${{ runner.temp }}/dependabot-metadata + run-id: ${{ inputs.analyze-workflow-run-id }} + + - name: Process Dependabot metadata + shell: bash + run: | + # Extract the pull request metadata from the downloaded artifact + path="$RUNNER_TEMP/dependabot-metadata" + if [[ ! -f "$path/pull_request.json" ]]; then + echo "Pull request metadata not found at $path/pull_request.json" + exit 1 + fi + if [[ ! -f "$path/updated_dependencies.json" ]]; then + echo "Updated dependencies metadata not found at $path/updated_dependencies.json" + exit 1 + fi + # Extract the required metadata and set it as environment variables + pull_request="$path/pull_request.json" + echo "PR_ID=$(jq -r '.number' < "$pull_request")" >> $GITHUB_ENV + echo "PR_URL=$(jq -r '.html_url' < "$pull_request")" >> $GITHUB_ENV + echo "PR_HEAD_REF=$(jq -r '.head.ref' < "$pull_request")" >> $GITHUB_ENV - name: Check out repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 with: - ref: ${{ inputs.ref }} + ref: ${{ env.PR_HEAD_REF }} token: ${{ secrets.CONTENT_WRITE_TOKEN }} - name: Install `xmlstarlet` @@ -89,18 +110,16 @@ jobs: - name: Create changelog entries shell: bash - env: - PR_ID: ${{ github.event.pull_request.number }} - PR_URL: ${{ github.event.pull_request.html_url }} - RELEASE_VERSION_MAJOR: ${{ env.RELEASE_VERSION_MAJOR }} - UPDATED_DEPENDENCIES: ${{ steps.dependabot.outputs.updated-dependencies-json }} run: | + PULL_REQUEST="$RUNNER_TEMP/dependabot-metadata/pull_request.json" + UPDATED_DEPENDENCIES="$RUNNER_TEMP/dependabot-metadata/updated_dependencies.json" + # Generates the content of a changelog entry function generate_changelog_entry() { local dependency="$1" - local dependency_name=$(echo "$dependency" | jq -r '.dependencyName' | xmlstarlet esc) - local new_version=$(echo "$dependency" | jq -r '.newVersion' | xmlstarlet esc) local issue_id=$(xmlstarlet esc "$PR_ID") local issue_link=$(xmlstarlet esc "$PR_URL") + local dependency_name=$(echo "$dependency" | jq -r '.dependencyName' | xmlstarlet esc) + local new_version=$(echo "$dependency" | jq -r '.newVersion' | xmlstarlet esc) cat << CHANGELOG_ENTRY @@ -118,7 +137,7 @@ jobs: mkdir -p "$release_changelog_path" cd "$release_changelog_path" # Generate the changelog entries for each updated dependency - echo "$UPDATED_DEPENDENCIES" | jq --compact-output '.[]' | while read -r dependency; do + cat "$UPDATED_DEPENDENCIES" | jq --compact-output '.[]' | while read -r dependency; do # Extract the dependency name and version dependency_name=$(echo "$dependency" | jq -r '.dependencyName') changelog_file_name=$(echo "update_${dependency_name,,}.xml" | sed -r -e 's/[^a-z0-9.-]/_/g' -e 's/_+/_/g') @@ -134,14 +153,13 @@ jobs: - name: Add & commit changes shell: bash env: - COMMIT_MSG: "Generate changelog entries for PR #${{ github.event.pull_request.number }}" - USER_NAME: ${{ inputs.user_name }} - USER_EMAIL: ${{ inputs.user_email }} + USER_NAME: ${{ inputs.user-name }} + USER_EMAIL: ${{ inputs.user-email }} run: | git add src/changelog git config user.name "$USER_NAME" git config user.email "$USER_EMAIL" - git commit -S -m "$COMMIT_MSG" + git commit -S -m "Generate changelog entries for PR #$PR_ID" git push origin - name: Enable auto-merge on PR diff --git a/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml b/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml new file mode 100644 index 00000000..c4a850c7 --- /dev/null +++ b/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml @@ -0,0 +1,32 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: "Dependabot Analyze PR" + +on: + pull_request: + +permissions: { } + +jobs: + +# tag::analyze-dependabot[] + analyze-dependabot: + # Skip this workflow on commits not pushed by Dependabot + if: ${{ github.actor == 'dependabot[bot]' }} + uses: apache/logging-parent/.github/workflows/analyze-dependabot-reusable.yaml@rel/{project-version} +# end::analyze-dependabot[] diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml index 6f7d2042..06ac2505 100644 --- a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -15,22 +15,28 @@ # limitations under the License. # -name: Dependabot Process PR +name: "Dependabot Process PR" on: - pull_request_target: {} + workflow_run: + workflows: + - "Dependabot Analyze PR" + types: + - completed -permissions: read-all +permissions: { } jobs: # tag::process-dependabot[] process-dependabot: # Skip this workflow on commits not pushed by Dependabot - if: ${{ github.actor == 'dependabot[bot]' }} + if: ${{ github.event.workflow_run.conclusion == 'success' && github.actor == 'dependabot[bot]' }} uses: apache/logging-parent/.github/workflows/process-dependabot-reusable.yaml@rel/{project-version} permissions: # The default GITHUB_TOKEN will be used to enable the "auto-merge" on the PR + # This requires the following two permissions: + contents: write pull-requests: write secrets: AUTO_MERGE_TOKEN: ${{ github.token }} @@ -38,8 +44,10 @@ jobs: GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} with: - user_name: 'Release Manager' - user_email: manager@example.com - # Necessary to let the reusable workflow reference itself - reusable_ref: rel/{project-version} + # These are the default values. + # The e-mail address must match the one used in the GPG key. + user_name: "ASF Logging Services RM" + user_email: "private@logging.apache.org" + # The run ID of the workflow that analyzed the PR. + analyze-workflow-run-id: ${{ github.event.workflow_run.id }} # end::process-dependabot[] diff --git a/src/site/antora/modules/ROOT/pages/workflows.adoc b/src/site/antora/modules/ROOT/pages/workflows.adoc index 2369dd3d..0aa4dfb8 100644 --- a/src/site/antora/modules/ROOT/pages/workflows.adoc +++ b/src/site/antora/modules/ROOT/pages/workflows.adoc @@ -104,6 +104,25 @@ To verify the reproducibility of a release, you can use: include::example$build.yaml[tag=verify-reproducibility-release,indent=0] ---- +[#analyze-dependabot] +== {project-github-url}/blob/main/.github/workflows/analyze-dependabot-reusable.yaml[`analyze-dependabot-reusable.yaml`] + +Analyzes Dependabot pull requests to collect detailed information about updated dependencies. +Stores the results in the `dependabot-metadata` artifact, +which is later consumed by the <> workflow to automate changelog generation and PR processing. + +[NOTE] +==== +This workflow must be triggered by an event that includes the `pull_request` payload and does not require any privileges. +It can then be used in a `pull_request` workflow. +==== + +.Snippet from an {examples-base-link}/analyze-dependabot.yaml[example `analyze-dependabot.yaml`] using this workflow +[source,yaml,subs=+attributes] +---- +include::example$analyze-dependabot.yaml[tag=analyze-dependabot,indent=0] +---- + [#process-dependabot] == {project-github-url}/blob/main/.github/workflows/process-dependabot-reusable.yaml[`process-dependabot-reusable.yaml`] @@ -112,6 +131,28 @@ Helps to process Dependabot pull requests by: * Generating changelog entries for the updated dependencies. * Enabling the "auto-merge" option for the pull request. +The workflow needs the following privileged tokens: + +`AUTO_MERGE_TOKEN`:: +A GitHub token with `contents:write` and `pull_requests:write` permissions, used to enable auto-merge on pull requests. +The default `GITHUB_TOKEN` **can** be used for this purpose. + +`CONTENT_WRITE_TOKEN`:: +A GitHub token required to push generated changelog files as a new commit to the repository. +The default `GITHUB_TOKEN` can **not** be used, +as it will not trigger required check runs and will prevent the pull request from being merged. +A Personal Access Token (PAT) with `contents:write` permission must be provided instead. + +This workflow is designed to be triggered by the `workflow_run` event, +as soon as the <> workflow completes. + +[NOTE] +==== +When this workflow is triggered by `workflow_run`, +GitHub Actions uses the "Actions" secret context instead of "Dependabot" secrets, +even if the `github.actor` is `dependabot[bot]`. +==== + .Snippet from an {examples-base-link}/process-dependabot.yaml[example `process-dependabot.yaml`] using this workflow [source,yaml,subs=+attributes] ---- From 6f9d4907c5ae32c3a723ca3459ecd21e2f6f4e37 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Tue, 24 Jun 2025 13:46:32 +0200 Subject: [PATCH 06/25] fix: limit the number of tokens --- .github/workflows/process-dependabot-reusable.yaml | 14 ++++++-------- .../modules/ROOT/examples/process-dependabot.yaml | 3 +-- src/site/antora/modules/ROOT/pages/workflows.adoc | 12 ++++++++---- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index ecb38ea9..e2b18c9d 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -33,11 +33,8 @@ on: required: true type: number secrets: - AUTO_MERGE_TOKEN: - description: GitHub token to enable auto-merge on PR - required: true - CONTENT_WRITE_TOKEN: - description: GitHub token to push changes + RECURSIVE_TOKEN: + description: "A PAT with `contents: write` permission to push changes and trigger the next workflow run" required: true GPG_PASSPHRASE: description: GPG passphrase for signing commits @@ -46,6 +43,8 @@ on: description: GPG secret key for signing commits required: true +permissions: { } + jobs: generate-changelog: @@ -86,7 +85,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 with: ref: ${{ env.PR_HEAD_REF }} - token: ${{ secrets.CONTENT_WRITE_TOKEN }} + token: ${{ secrets.RECURSIVE_TOKEN }} - name: Install `xmlstarlet` shell: bash @@ -103,7 +102,7 @@ jobs: ) if [[ ! $revision =~ ^[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT)?$ ]]; then echo "Invalid version format: $revision" - exit 1 + exit 1 fi parts=(${revision//./ }) echo "RELEASE_VERSION_MAJOR=${parts[0]}" >> $GITHUB_ENV @@ -165,7 +164,6 @@ jobs: - name: Enable auto-merge on PR shell: bash env: - PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ github.token }} run: | gh pr merge --squash --auto "$PR_URL" diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml index 06ac2505..16503cab 100644 --- a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -39,8 +39,7 @@ jobs: contents: write pull-requests: write secrets: - AUTO_MERGE_TOKEN: ${{ github.token }} - CONTENT_WRITE_TOKEN: ${{ secrets.DEPENDABOT_TOKEN }} + RECURSIVE_TOKEN: ${{ secrets.DEPENDABOT_TOKEN }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} with: diff --git a/src/site/antora/modules/ROOT/pages/workflows.adoc b/src/site/antora/modules/ROOT/pages/workflows.adoc index 0aa4dfb8..62c64ca2 100644 --- a/src/site/antora/modules/ROOT/pages/workflows.adoc +++ b/src/site/antora/modules/ROOT/pages/workflows.adoc @@ -133,15 +133,19 @@ Helps to process Dependabot pull requests by: The workflow needs the following privileged tokens: -`AUTO_MERGE_TOKEN`:: -A GitHub token with `contents:write` and `pull_requests:write` permissions, used to enable auto-merge on pull requests. -The default `GITHUB_TOKEN` **can** be used for this purpose. +`GITHUB_TOKEN`:: +The default GitHub token with `contents:write` and `pull_requests:write` permissions, +used to enable auto-merge on pull requests. ++ +This token is automatically provided by GitHub Actions, but needs to be configured in the `permissions` property. -`CONTENT_WRITE_TOKEN`:: +`RECURSIVE_TOKEN`:: A GitHub token required to push generated changelog files as a new commit to the repository. The default `GITHUB_TOKEN` can **not** be used, as it will not trigger required check runs and will prevent the pull request from being merged. A Personal Access Token (PAT) with `contents:write` permission must be provided instead. ++ +The token must be passed as a secret named `RECURSIVE_TOKEN`. This workflow is designed to be triggered by the `workflow_run` event, as soon as the <> workflow completes. From a1f91ab1c0f0cfc7bbde4b5e802b52ec12f7d67a Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Tue, 24 Jun 2025 14:26:41 +0200 Subject: [PATCH 07/25] fix: drop all permissions by default --- .github/workflows/analyze-dependabot-reusable.yaml | 4 ++++ .github/workflows/process-dependabot-reusable.yaml | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml index a23fad51..8ea99455 100644 --- a/.github/workflows/analyze-dependabot-reusable.yaml +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -20,6 +20,10 @@ name: Dependabot Analyze PR on: workflow_call: +# Explicitly drop all permissions inherited from the caller for security. +# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions +permissions: { } + jobs: analyze-pull-request: diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index e2b18c9d..654f90ce 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -43,6 +43,8 @@ on: description: GPG secret key for signing commits required: true +# Explicitly drop all permissions inherited from the caller for security. +# Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions permissions: { } jobs: @@ -51,6 +53,11 @@ jobs: # Skip this workflow on commits not pushed by Dependabot if: ${{ github.actor == 'dependabot[bot]' }} runs-on: ubuntu-latest + permissions: + # The default GITHUB_TOKEN will be used to enable the "auto-merge" on the PR + # This requires the following two permissions: + contents: write + pull-requests: write steps: From ef0d7932c003772c6a453933f8724b87d7f60412 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Sun, 26 Oct 2025 15:00:57 +0100 Subject: [PATCH 08/25] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Volkan Yazıcı --- .github/workflows/analyze-dependabot-reusable.yaml | 6 ++---- .github/workflows/process-dependabot-reusable.yaml | 8 ++++---- .../antora/modules/ROOT/examples/analyze-dependabot.yaml | 2 +- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml index 8ea99455..43f88d4a 100644 --- a/.github/workflows/analyze-dependabot-reusable.yaml +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -18,7 +18,7 @@ name: Dependabot Analyze PR on: - workflow_call: + workflow_call: { } # Explicitly drop all permissions inherited from the caller for security. # Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions @@ -39,9 +39,7 @@ jobs: with: github-token: ${{ github.token }} - # - # Stores the data required by the process-dependabot-reusable workflow as JSON files. - # + # Creates the data required by the `process-dependabot-reusable` workflow as JSON files. - name: Create artifacts shell: bash env: diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 654f90ce..4da4cd40 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -111,8 +111,8 @@ jobs: echo "Invalid version format: $revision" exit 1 fi - parts=(${revision//./ }) - echo "RELEASE_VERSION_MAJOR=${parts[0]}" >> $GITHUB_ENV + revisionMajor=${revision%%.*} + echo "RELEASE_VERSION_MAJOR=$revisionMajor" >> $GITHUB_ENV - name: Create changelog entries shell: bash @@ -134,7 +134,7 @@ jobs: xsi:schemaLocation="https://logging.apache.org/xml/ns https://logging.apache.org/xml/ns/log4j-changelog-0.xsd" type="updated"> - Update \`$dependency_name\` to version \`$new_version\`. + Update \`$dependency_name\` to version \`$new_version\` CHANGELOG_ENTRY } @@ -165,7 +165,7 @@ jobs: git add src/changelog git config user.name "$USER_NAME" git config user.email "$USER_EMAIL" - git commit -S -m "Generate changelog entries for PR #$PR_ID" + git commit -S -m "Generate changelog entries for #$PR_ID" git push origin - name: Enable auto-merge on PR diff --git a/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml b/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml index c4a850c7..c3319016 100644 --- a/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml @@ -27,6 +27,6 @@ jobs: # tag::analyze-dependabot[] analyze-dependabot: # Skip this workflow on commits not pushed by Dependabot - if: ${{ github.actor == 'dependabot[bot]' }} + if: ${{ github.repository == 'apache/logging-parent' && github.actor == 'dependabot[bot]' }} uses: apache/logging-parent/.github/workflows/analyze-dependabot-reusable.yaml@rel/{project-version} # end::analyze-dependabot[] From da481c22ae7abe4ab6bb2059fe6a3e7466c5f715 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 5 Nov 2025 21:52:37 +0100 Subject: [PATCH 09/25] fix: switch to `dependabot/fetch-metadata` --- .github/workflows/analyze-dependabot-reusable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml index 43f88d4a..05c56d83 100644 --- a/.github/workflows/analyze-dependabot-reusable.yaml +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -35,7 +35,7 @@ jobs: - name: Fetch Dependabot metadata id: dependabot - uses: ppkarwasz/fetch-metadata@feat/multi-versions + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # 2.4.0 with: github-token: ${{ github.token }} From fbdf6093748a47a3627cbc9ec15fc9cc1c9a345e Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 5 Nov 2025 22:16:08 +0100 Subject: [PATCH 10/25] fix: apply review suggestions --- .github/workflows/analyze-dependabot-reusable.yaml | 2 +- .github/workflows/process-dependabot-reusable.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml index 05c56d83..d7d003fd 100644 --- a/.github/workflows/analyze-dependabot-reusable.yaml +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -46,7 +46,7 @@ jobs: PULL_REQUEST: ${{ toJSON(github.event.pull_request) }} UPDATED_DEPENDENCIES: ${{ steps.dependabot.outputs.updated-dependencies-json }} run: | - mkdir -p dependabot-metadata + mkdir dependabot-metadata echo "$PULL_REQUEST" > dependabot-metadata/pull_request.json echo "$UPDATED_DEPENDENCIES" > dependabot-metadata/updated_dependencies.json diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 4da4cd40..ea09c92d 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -101,16 +101,20 @@ jobs: - name: Find the release version major shell: bash run: | + # Extract the revision property from the pom.xml revision=$( xmlstarlet sel \ -N m=http://maven.apache.org/POM/4.0.0 \ --template --value-of /m:project/m:properties/m:revision \ pom.xml ) + + # Validate the version format and extract the major version if [[ ! $revision =~ ^[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT)?$ ]]; then echo "Invalid version format: $revision" exit 1 fi + revisionMajor=${revision%%.*} echo "RELEASE_VERSION_MAJOR=$revisionMajor" >> $GITHUB_ENV @@ -119,6 +123,7 @@ jobs: run: | PULL_REQUEST="$RUNNER_TEMP/dependabot-metadata/pull_request.json" UPDATED_DEPENDENCIES="$RUNNER_TEMP/dependabot-metadata/updated_dependencies.json" + # Generates the content of a changelog entry function generate_changelog_entry() { local dependency="$1" @@ -138,10 +143,12 @@ jobs: CHANGELOG_ENTRY } + # Ensure the changelog directory exists release_changelog_path="src/changelog/.${RELEASE_VERSION_MAJOR}.x.x" mkdir -p "$release_changelog_path" cd "$release_changelog_path" + # Generate the changelog entries for each updated dependency cat "$UPDATED_DEPENDENCIES" | jq --compact-output '.[]' | while read -r dependency; do # Extract the dependency name and version From d2b0c59394f0783ed4c0ed2346d33f0f680fe513 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 00:19:26 +0200 Subject: [PATCH 11/25] fix: extract PR data from caller of `process-dependabot-reusable` --- .../analyze-dependabot-reusable.yaml | 14 +++---- .../process-dependabot-reusable.yaml | 40 ++++++++----------- .../ROOT/examples/process-dependabot.yaml | 3 ++ 3 files changed, 24 insertions(+), 33 deletions(-) diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml index d7d003fd..54ab4d4e 100644 --- a/.github/workflows/analyze-dependabot-reusable.yaml +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -39,19 +39,15 @@ jobs: with: github-token: ${{ github.token }} - # Creates the data required by the `process-dependabot-reusable` workflow as JSON files. - - name: Create artifacts + # Creates the data required by the `process-dependabot-reusable` workflow as a JSON file. + - name: Create artifact shell: bash env: - PULL_REQUEST: ${{ toJSON(github.event.pull_request) }} UPDATED_DEPENDENCIES: ${{ steps.dependabot.outputs.updated-dependencies-json }} - run: | - mkdir dependabot-metadata - echo "$PULL_REQUEST" > dependabot-metadata/pull_request.json - echo "$UPDATED_DEPENDENCIES" > dependabot-metadata/updated_dependencies.json + run: echo "$UPDATED_DEPENDENCIES" > updated_dependencies.json - - name: Upload artifacts + - name: Upload artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2 with: name: dependabot-metadata - path: dependabot-metadata + path: updated_dependencies.json diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index ea09c92d..1da22479 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -32,6 +32,14 @@ on: description: The ID of the workflow run that analyzed the PR required: true type: number + pr-id: + description: The number of the pull request to process + required: true + type: number + pr-head-ref: + description: The head branch ref of the pull request to process + required: true + type: string secrets: RECURSIVE_TOKEN: description: "A PAT with `contents: write` permission to push changes and trigger the next workflow run" @@ -66,32 +74,13 @@ jobs: with: github-token: ${{ github.token }} name: dependabot-metadata - path: ${{ runner.temp }}/dependabot-metadata + path: ${{ runner.temp }} run-id: ${{ inputs.analyze-workflow-run-id }} - - name: Process Dependabot metadata - shell: bash - run: | - # Extract the pull request metadata from the downloaded artifact - path="$RUNNER_TEMP/dependabot-metadata" - if [[ ! -f "$path/pull_request.json" ]]; then - echo "Pull request metadata not found at $path/pull_request.json" - exit 1 - fi - if [[ ! -f "$path/updated_dependencies.json" ]]; then - echo "Updated dependencies metadata not found at $path/updated_dependencies.json" - exit 1 - fi - # Extract the required metadata and set it as environment variables - pull_request="$path/pull_request.json" - echo "PR_ID=$(jq -r '.number' < "$pull_request")" >> $GITHUB_ENV - echo "PR_URL=$(jq -r '.html_url' < "$pull_request")" >> $GITHUB_ENV - echo "PR_HEAD_REF=$(jq -r '.head.ref' < "$pull_request")" >> $GITHUB_ENV - - name: Check out repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 with: - ref: ${{ env.PR_HEAD_REF }} + ref: ${{ inputs.pr-head-ref }} token: ${{ secrets.RECURSIVE_TOKEN }} - name: Install `xmlstarlet` @@ -120,10 +109,11 @@ jobs: - name: Create changelog entries shell: bash + env: + PR_ID: ${{ inputs.pr-id }} + PR_URL: ${{ github.server_url }}/${{ github.repository }}/pull/${{ inputs.pr-id }} + UPDATED_DEPENDENCIES: ${{ runner.temp }}/updated_dependencies.json run: | - PULL_REQUEST="$RUNNER_TEMP/dependabot-metadata/pull_request.json" - UPDATED_DEPENDENCIES="$RUNNER_TEMP/dependabot-metadata/updated_dependencies.json" - # Generates the content of a changelog entry function generate_changelog_entry() { local dependency="$1" @@ -168,6 +158,7 @@ jobs: env: USER_NAME: ${{ inputs.user-name }} USER_EMAIL: ${{ inputs.user-email }} + PR_ID: ${{ inputs.pr-id }} run: | git add src/changelog git config user.name "$USER_NAME" @@ -179,5 +170,6 @@ jobs: shell: bash env: GH_TOKEN: ${{ github.token }} + PR_URL: ${{ github.server_url }}/${{ github.repository }}/pull/${{ inputs.pr-id }} run: | gh pr merge --squash --auto "$PR_URL" diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml index 16503cab..a03328ee 100644 --- a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -49,4 +49,7 @@ jobs: user_email: "private@logging.apache.org" # The run ID of the workflow that analyzed the PR. analyze-workflow-run-id: ${{ github.event.workflow_run.id }} + # Pull request metadata extracted from the triggering workflow run. + pr-id: ${{ github.event.workflow_run.pull_requests[0].number }} + pr-head-ref: ${{ github.event.workflow_run.pull_requests[0].head.ref }} # end::process-dependabot[] From 9565410753299800e50564b8f97cb040dd768614 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 00:21:44 +0200 Subject: [PATCH 12/25] fix: inline user-name and user-email --- .github/workflows/process-dependabot-reusable.yaml | 14 ++------------ .../modules/ROOT/examples/process-dependabot.yaml | 4 ---- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 1da22479..170dd84a 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -20,14 +20,6 @@ name: Dependabot Process PR on: workflow_call: inputs: - user-name: - description: The name of the user to use for the commit - default: 'ASF Logging Services RM' - type: string - user-email: - description: The email of the user to use for the commit - default: 'private@logging.apache.org' - type: string analyze-workflow-run-id: description: The ID of the workflow run that analyzed the PR required: true @@ -156,13 +148,11 @@ jobs: - name: Add & commit changes shell: bash env: - USER_NAME: ${{ inputs.user-name }} - USER_EMAIL: ${{ inputs.user-email }} PR_ID: ${{ inputs.pr-id }} run: | git add src/changelog - git config user.name "$USER_NAME" - git config user.email "$USER_EMAIL" + git config user.name "ASF Logging Services RM" + git config user.email "private@logging.apache.org" git commit -S -m "Generate changelog entries for #$PR_ID" git push origin diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml index a03328ee..b8128721 100644 --- a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -43,10 +43,6 @@ jobs: GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} with: - # These are the default values. - # The e-mail address must match the one used in the GPG key. - user_name: "ASF Logging Services RM" - user_email: "private@logging.apache.org" # The run ID of the workflow that analyzed the PR. analyze-workflow-run-id: ${{ github.event.workflow_run.id }} # Pull request metadata extracted from the triggering workflow run. From f88dade23278127f038e8b4ba56ea1d967504a8d Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 00:32:10 +0200 Subject: [PATCH 13/25] fix: add `changelog-path` and remove `xmlstarlet` --- .../analyze-dependabot-reusable.yaml | 3 +- .../process-dependabot-reusable.yaml | 48 +++++++------------ .../ROOT/examples/process-dependabot.yaml | 2 + 3 files changed, 20 insertions(+), 33 deletions(-) diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml index 54ab4d4e..e71dcfdf 100644 --- a/.github/workflows/analyze-dependabot-reusable.yaml +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -44,7 +44,8 @@ jobs: shell: bash env: UPDATED_DEPENDENCIES: ${{ steps.dependabot.outputs.updated-dependencies-json }} - run: echo "$UPDATED_DEPENDENCIES" > updated_dependencies.json + run: | + echo "$UPDATED_DEPENDENCIES" > updated_dependencies.json - name: Upload artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2 diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 170dd84a..76221406 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -32,6 +32,10 @@ on: description: The head branch ref of the pull request to process required: true type: string + changelog-path: + description: The path to the changelog directory (e.g. `src/changelog/.2.x.x`) + required: true + type: string secrets: RECURSIVE_TOKEN: description: "A PAT with `contents: write` permission to push changes and trigger the next workflow run" @@ -75,44 +79,24 @@ jobs: ref: ${{ inputs.pr-head-ref }} token: ${{ secrets.RECURSIVE_TOKEN }} - - name: Install `xmlstarlet` - shell: bash - run: sudo apt-get update && sudo apt-get install -y xmlstarlet - - - name: Find the release version major - shell: bash - run: | - # Extract the revision property from the pom.xml - revision=$( - xmlstarlet sel \ - -N m=http://maven.apache.org/POM/4.0.0 \ - --template --value-of /m:project/m:properties/m:revision \ - pom.xml - ) - - # Validate the version format and extract the major version - if [[ ! $revision =~ ^[0-9]+\.[0-9]+\.[0-9]+(-SNAPSHOT)?$ ]]; then - echo "Invalid version format: $revision" - exit 1 - fi - - revisionMajor=${revision%%.*} - echo "RELEASE_VERSION_MAJOR=$revisionMajor" >> $GITHUB_ENV - - name: Create changelog entries shell: bash env: PR_ID: ${{ inputs.pr-id }} PR_URL: ${{ github.server_url }}/${{ github.repository }}/pull/${{ inputs.pr-id }} + CHANGELOG_PATH: ${{ inputs.changelog-path }} UPDATED_DEPENDENCIES: ${{ runner.temp }}/updated_dependencies.json run: | + # Escapes special XML characters in a string + xml_escape() { sed 's/&/\&/g; s//\>/g; s/"/\"/g' <<< "$1"; } + # Generates the content of a changelog entry function generate_changelog_entry() { local dependency="$1" - local issue_id=$(xmlstarlet esc "$PR_ID") - local issue_link=$(xmlstarlet esc "$PR_URL") - local dependency_name=$(echo "$dependency" | jq -r '.dependencyName' | xmlstarlet esc) - local new_version=$(echo "$dependency" | jq -r '.newVersion' | xmlstarlet esc) + local issue_id=$(xml_escape "$PR_ID") + local issue_link=$(xml_escape "$PR_URL") + local dependency_name=$(xml_escape "$(echo "$dependency" | jq -r '.dependencyName')") + local new_version=$(xml_escape "$(echo "$dependency" | jq -r '.newVersion')") cat << CHANGELOG_ENTRY @@ -127,9 +111,8 @@ jobs: } # Ensure the changelog directory exists - release_changelog_path="src/changelog/.${RELEASE_VERSION_MAJOR}.x.x" - mkdir -p "$release_changelog_path" - cd "$release_changelog_path" + mkdir -p "$CHANGELOG_PATH" + cd "$CHANGELOG_PATH" # Generate the changelog entries for each updated dependency cat "$UPDATED_DEPENDENCIES" | jq --compact-output '.[]' | while read -r dependency; do @@ -149,8 +132,9 @@ jobs: shell: bash env: PR_ID: ${{ inputs.pr-id }} + CHANGELOG_PATH: ${{ inputs.changelog-path }} run: | - git add src/changelog + git add "$CHANGELOG_PATH" git config user.name "ASF Logging Services RM" git config user.email "private@logging.apache.org" git commit -S -m "Generate changelog entries for #$PR_ID" diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml index b8128721..02ff5a03 100644 --- a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -43,6 +43,8 @@ jobs: GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} with: + # The path to the changelog directory for the current development branch. + changelog-path: src/changelog/.2.x.x # The run ID of the workflow that analyzed the PR. analyze-workflow-run-id: ${{ github.event.workflow_run.id }} # Pull request metadata extracted from the triggering workflow run. From 3c86f2d541334cc026addf33f2d69b44b8c70c3f Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 00:34:50 +0200 Subject: [PATCH 14/25] fix: sort inputs --- .github/workflows/process-dependabot-reusable.yaml | 8 ++++---- .../antora/modules/ROOT/examples/process-dependabot.yaml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 76221406..4951bdff 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -24,6 +24,10 @@ on: description: The ID of the workflow run that analyzed the PR required: true type: number + changelog-path: + description: The path to the changelog directory (e.g. `src/changelog/.2.x.x`) + required: true + type: string pr-id: description: The number of the pull request to process required: true @@ -32,10 +36,6 @@ on: description: The head branch ref of the pull request to process required: true type: string - changelog-path: - description: The path to the changelog directory (e.g. `src/changelog/.2.x.x`) - required: true - type: string secrets: RECURSIVE_TOKEN: description: "A PAT with `contents: write` permission to push changes and trigger the next workflow run" diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml index 02ff5a03..d4d25050 100644 --- a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -43,10 +43,10 @@ jobs: GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} with: - # The path to the changelog directory for the current development branch. - changelog-path: src/changelog/.2.x.x # The run ID of the workflow that analyzed the PR. analyze-workflow-run-id: ${{ github.event.workflow_run.id }} + # The path to the changelog directory for the current development branch. + changelog-path: src/changelog/.2.x.x # Pull request metadata extracted from the triggering workflow run. pr-id: ${{ github.event.workflow_run.pull_requests[0].number }} pr-head-ref: ${{ github.event.workflow_run.pull_requests[0].head.ref }} From 4fd4cf06babad111b3dd5d4235f533961b528c00 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 00:41:20 +0200 Subject: [PATCH 15/25] fix: filters on PR user --- .github/workflows/analyze-dependabot-reusable.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml index e71dcfdf..8cd35490 100644 --- a/.github/workflows/analyze-dependabot-reusable.yaml +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -28,7 +28,7 @@ jobs: analyze-pull-request: # Skip this workflow on commits not pushed by Dependabot - if: ${{ github.actor == 'dependabot[bot]' }} + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} runs-on: ubuntu-latest steps: From f78eab8dd24ca09cbd7c9091793348c82eb57568 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 08:25:19 +0200 Subject: [PATCH 16/25] fix: remove computable parameters Removes the parameters that can be computed. --- .../process-dependabot-reusable.yaml | 34 ++++++++----------- .../ROOT/examples/process-dependabot.yaml | 11 +++--- 2 files changed, 20 insertions(+), 25 deletions(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 4951bdff..bfda9520 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -20,22 +20,10 @@ name: Dependabot Process PR on: workflow_call: inputs: - analyze-workflow-run-id: - description: The ID of the workflow run that analyzed the PR - required: true - type: number changelog-path: description: The path to the changelog directory (e.g. `src/changelog/.2.x.x`) required: true type: string - pr-id: - description: The number of the pull request to process - required: true - type: number - pr-head-ref: - description: The head branch ref of the pull request to process - required: true - type: string secrets: RECURSIVE_TOKEN: description: "A PAT with `contents: write` permission to push changes and trigger the next workflow run" @@ -65,25 +53,33 @@ jobs: steps: + - name: Get pull request metadata + id: pr + env: + PULL_REQUESTS: ${{ toJSON(github.event.workflow_run.pull_requests) }} + run: | + echo "id=$(echo "$PULL_REQUESTS" | jq -r '.[0].number')" >> "$GITHUB_OUTPUT" + echo "head-ref=$(echo "$PULL_REQUESTS" | jq -r '.[0].head.ref')" >> "$GITHUB_OUTPUT" + - name: Fetch Dependabot metadata uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # 4.3.0 with: github-token: ${{ github.token }} name: dependabot-metadata path: ${{ runner.temp }} - run-id: ${{ inputs.analyze-workflow-run-id }} + run-id: ${{ github.event.workflow_run.id }} - name: Check out repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 with: - ref: ${{ inputs.pr-head-ref }} + ref: ${{ steps.pr.outputs.head-ref }} token: ${{ secrets.RECURSIVE_TOKEN }} - name: Create changelog entries shell: bash env: - PR_ID: ${{ inputs.pr-id }} - PR_URL: ${{ github.server_url }}/${{ github.repository }}/pull/${{ inputs.pr-id }} + PR_ID: ${{ steps.pr.outputs.id }} + PR_URL: ${{ github.server_url }}/${{ github.repository }}/pull/${{ steps.pr.outputs.id }} CHANGELOG_PATH: ${{ inputs.changelog-path }} UPDATED_DEPENDENCIES: ${{ runner.temp }}/updated_dependencies.json run: | @@ -131,8 +127,8 @@ jobs: - name: Add & commit changes shell: bash env: - PR_ID: ${{ inputs.pr-id }} CHANGELOG_PATH: ${{ inputs.changelog-path }} + PR_ID: ${{ steps.pr.outputs.id }} run: | git add "$CHANGELOG_PATH" git config user.name "ASF Logging Services RM" @@ -144,6 +140,6 @@ jobs: shell: bash env: GH_TOKEN: ${{ github.token }} - PR_URL: ${{ github.server_url }}/${{ github.repository }}/pull/${{ inputs.pr-id }} + PR_ID: ${{ steps.pr.outputs.id }} run: | - gh pr merge --squash --auto "$PR_URL" + gh pr merge --squash --auto "$PR_ID" diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml index d4d25050..f36343ae 100644 --- a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -31,7 +31,11 @@ jobs: # tag::process-dependabot[] process-dependabot: # Skip this workflow on commits not pushed by Dependabot - if: ${{ github.event.workflow_run.conclusion == 'success' && github.actor == 'dependabot[bot]' }} + if: ${{ + github.repository == 'apache/logging-parent' + && github.event.workflow_run.conclusion == 'success' + && github.actor == 'dependabot[bot]' + }} uses: apache/logging-parent/.github/workflows/process-dependabot-reusable.yaml@rel/{project-version} permissions: # The default GITHUB_TOKEN will be used to enable the "auto-merge" on the PR @@ -43,11 +47,6 @@ jobs: GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} with: - # The run ID of the workflow that analyzed the PR. - analyze-workflow-run-id: ${{ github.event.workflow_run.id }} # The path to the changelog directory for the current development branch. changelog-path: src/changelog/.2.x.x - # Pull request metadata extracted from the triggering workflow run. - pr-id: ${{ github.event.workflow_run.pull_requests[0].number }} - pr-head-ref: ${{ github.event.workflow_run.pull_requests[0].head.ref }} # end::process-dependabot[] From a78b7278a426cac07b2feebeae49babc688fe2a4 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 08:34:40 +0200 Subject: [PATCH 17/25] fix: refactor XML escaping --- .github/workflows/process-dependabot-reusable.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index bfda9520..4d394592 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -84,15 +84,15 @@ jobs: UPDATED_DEPENDENCIES: ${{ runner.temp }}/updated_dependencies.json run: | # Escapes special XML characters in a string - xml_escape() { sed 's/&/\&/g; s//\>/g; s/"/\"/g' <<< "$1"; } + xml_escape() { sed 's/&/\&/g; s//\>/g; s/"/\"/g'; } # Generates the content of a changelog entry function generate_changelog_entry() { local dependency="$1" - local issue_id=$(xml_escape "$PR_ID") - local issue_link=$(xml_escape "$PR_URL") - local dependency_name=$(xml_escape "$(echo "$dependency" | jq -r '.dependencyName')") - local new_version=$(xml_escape "$(echo "$dependency" | jq -r '.newVersion')") + local issue_id=$(xml_escape <<< "$PR_ID") + local issue_link=$(xml_escape <<< "$PR_URL") + local dependency_name=$(echo "$dependency" | jq -r '.dependencyName' | xml_escape) + local new_version=$(echo "$dependency" | jq -r '.newVersion' | xml_escape) cat << CHANGELOG_ENTRY From 615116f2cab3221ca43a8c18f4222426b2788255 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 08:42:29 +0200 Subject: [PATCH 18/25] fix: debug `workflow_run` payload --- .github/workflows/process-dependabot-reusable.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 4d394592..fd586972 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -56,8 +56,13 @@ jobs: - name: Get pull request metadata id: pr env: + # Reference of the payload: https://docs.github.com/en/webhooks/webhook-events-and-payloads#workflow_run + # + # The structure of `pull_requests` is not documented, so we'll dump it for debugging purposes. PULL_REQUESTS: ${{ toJSON(github.event.workflow_run.pull_requests) }} run: | + # Print payload for debugging + jq <<< "$PULL_REQUESTS" echo "id=$(echo "$PULL_REQUESTS" | jq -r '.[0].number')" >> "$GITHUB_OUTPUT" echo "head-ref=$(echo "$PULL_REQUESTS" | jq -r '.[0].head.ref')" >> "$GITHUB_OUTPUT" From 499214f92d8e2ae70aa41ce013ec137b0b7438ee Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 08:44:15 +0200 Subject: [PATCH 19/25] fix: remove license line --- .github/workflows/process-dependabot-reusable.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index fd586972..7a7150b1 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -100,7 +100,6 @@ jobs: local new_version=$(echo "$dependency" | jq -r '.newVersion' | xml_escape) cat << CHANGELOG_ENTRY - Date: Wed, 15 Apr 2026 08:55:00 +0200 Subject: [PATCH 20/25] fix: add comments to checks --- .github/workflows/analyze-dependabot-reusable.yaml | 2 +- .github/workflows/process-dependabot-reusable.yaml | 2 +- src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml index 8cd35490..5cd83aef 100644 --- a/.github/workflows/analyze-dependabot-reusable.yaml +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -27,7 +27,7 @@ permissions: { } jobs: analyze-pull-request: - # Skip this workflow on commits not pushed by Dependabot + # Defense-in-depth check if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} runs-on: ubuntu-latest diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 7a7150b1..b3662539 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -42,7 +42,7 @@ permissions: { } jobs: generate-changelog: - # Skip this workflow on commits not pushed by Dependabot + # Defense-in-depth check if: ${{ github.actor == 'dependabot[bot]' }} runs-on: ubuntu-latest permissions: diff --git a/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml b/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml index c3319016..2b93745b 100644 --- a/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml @@ -26,7 +26,7 @@ jobs: # tag::analyze-dependabot[] analyze-dependabot: - # Skip this workflow on commits not pushed by Dependabot - if: ${{ github.repository == 'apache/logging-parent' && github.actor == 'dependabot[bot]' }} + # Skip this workflow on PRs not created by Dependabot + if: ${{ github.repository == 'apache/logging-parent' && github.event.pull_request.user.login == 'dependabot[bot]' }} uses: apache/logging-parent/.github/workflows/analyze-dependabot-reusable.yaml@rel/{project-version} # end::analyze-dependabot[] From 2525d34129232b90282c1930baa26000f045088d Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 08:56:04 +0200 Subject: [PATCH 21/25] fix: check order --- src/site/antora/modules/ROOT/examples/process-dependabot.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml index f36343ae..150c286b 100644 --- a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -33,8 +33,8 @@ jobs: # Skip this workflow on commits not pushed by Dependabot if: ${{ github.repository == 'apache/logging-parent' - && github.event.workflow_run.conclusion == 'success' && github.actor == 'dependabot[bot]' + && github.event.workflow_run.conclusion == 'success' }} uses: apache/logging-parent/.github/workflows/process-dependabot-reusable.yaml@rel/{project-version} permissions: From 928fe460afb418a4a648f0f50776d69f4d3dca2e Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 09:50:53 +0200 Subject: [PATCH 22/25] fix: adapt to `ppkarwasz` organisation --- .github/workflows/process-dependabot-reusable.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index b3662539..7cb2c83f 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -135,8 +135,8 @@ jobs: PR_ID: ${{ steps.pr.outputs.id }} run: | git add "$CHANGELOG_PATH" - git config user.name "ASF Logging Services RM" - git config user.email "private@logging.apache.org" + git config user.name "Copernik.eu RM" + git config user.email "bot@copernik.eu" git commit -S -m "Generate changelog entries for #$PR_ID" git push origin From 2d9b23511798e6817f62975796d279f742d5a2ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 08:39:30 +0000 Subject: [PATCH 23/25] Bump Dependabot workflow dependencies --- .github/workflows/analyze-dependabot-reusable.yaml | 4 ++-- .github/workflows/process-dependabot-reusable.yaml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml index 5cd83aef..8d9b3e49 100644 --- a/.github/workflows/analyze-dependabot-reusable.yaml +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -35,7 +35,7 @@ jobs: - name: Fetch Dependabot metadata id: dependabot - uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # 2.4.0 + uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # 3.0.0 with: github-token: ${{ github.token }} @@ -48,7 +48,7 @@ jobs: echo "$UPDATED_DEPENDENCIES" > updated_dependencies.json - name: Upload artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # 7.0.1 with: name: dependabot-metadata path: updated_dependencies.json diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 7cb2c83f..8088bc8b 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -67,7 +67,7 @@ jobs: echo "head-ref=$(echo "$PULL_REQUESTS" | jq -r '.[0].head.ref')" >> "$GITHUB_OUTPUT" - name: Fetch Dependabot metadata - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # 4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # 8.0.1 with: github-token: ${{ github.token }} name: dependabot-metadata @@ -75,7 +75,7 @@ jobs: run-id: ${{ github.event.workflow_run.id }} - name: Check out repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 with: ref: ${{ steps.pr.outputs.head-ref }} token: ${{ secrets.RECURSIVE_TOKEN }} @@ -123,7 +123,7 @@ jobs: done - name: Set up GPG - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # 6.3.0 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # 7.0.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} From 310d0696be99c1eafbb567186b9b410d19673209 Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 11:27:23 +0200 Subject: [PATCH 24/25] Remove commit signing --- .../workflows/process-dependabot-reusable.yaml | 18 +++--------------- .../ROOT/examples/process-dependabot.yaml | 2 -- 2 files changed, 3 insertions(+), 17 deletions(-) diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 8088bc8b..059e1f56 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -28,12 +28,6 @@ on: RECURSIVE_TOKEN: description: "A PAT with `contents: write` permission to push changes and trigger the next workflow run" required: true - GPG_PASSPHRASE: - description: GPG passphrase for signing commits - required: false - GPG_PRIVATE_KEY: - description: GPG secret key for signing commits - required: true # Explicitly drop all permissions inherited from the caller for security. # Reference: https://docs.github.com/en/actions/sharing-automations/reusing-workflows#access-and-permissions @@ -122,12 +116,6 @@ jobs: generate_changelog_entry "$dependency" > "$changelog_file_name" done - - name: Set up GPG - uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # 7.0.0 - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.GPG_PASSPHRASE }} - - name: Add & commit changes shell: bash env: @@ -135,9 +123,9 @@ jobs: PR_ID: ${{ steps.pr.outputs.id }} run: | git add "$CHANGELOG_PATH" - git config user.name "Copernik.eu RM" - git config user.email "bot@copernik.eu" - git commit -S -m "Generate changelog entries for #$PR_ID" + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git commit -m "Generate changelog entries for #$PR_ID" git push origin - name: Enable auto-merge on PR diff --git a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml index 150c286b..f40be8fc 100644 --- a/src/site/antora/modules/ROOT/examples/process-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/process-dependabot.yaml @@ -44,8 +44,6 @@ jobs: pull-requests: write secrets: RECURSIVE_TOKEN: ${{ secrets.DEPENDABOT_TOKEN }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} with: # The path to the changelog directory for the current development branch. changelog-path: src/changelog/.2.x.x From f6ef80d582f521cb97a62adfcb05cd4607e195de Mon Sep 17 00:00:00 2001 From: "Piotr P. Karwasz" Date: Wed, 15 Apr 2026 11:58:15 +0200 Subject: [PATCH 25/25] Modify preconditions --- .github/workflows/analyze-dependabot-reusable.yaml | 9 +++++++-- .github/workflows/process-dependabot-reusable.yaml | 9 +++++++-- .../antora/modules/ROOT/examples/analyze-dependabot.yaml | 9 +++++++-- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/analyze-dependabot-reusable.yaml b/.github/workflows/analyze-dependabot-reusable.yaml index 8d9b3e49..326656d4 100644 --- a/.github/workflows/analyze-dependabot-reusable.yaml +++ b/.github/workflows/analyze-dependabot-reusable.yaml @@ -27,8 +27,13 @@ permissions: { } jobs: analyze-pull-request: - # Defense-in-depth check - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + # Defense-in-depth (in case the caller forgets): + # `github.actor` prevents recursive calls when `github-actions[bot]` pushes to the PR; + # `github.event.pull_request.user.login` skips PRs not opened by Dependabot. + if: ${{ + github.actor == 'dependabot[bot]' + && github.event.pull_request.user.login == 'dependabot[bot]' + }} runs-on: ubuntu-latest steps: diff --git a/.github/workflows/process-dependabot-reusable.yaml b/.github/workflows/process-dependabot-reusable.yaml index 059e1f56..b46491a0 100644 --- a/.github/workflows/process-dependabot-reusable.yaml +++ b/.github/workflows/process-dependabot-reusable.yaml @@ -36,8 +36,13 @@ permissions: { } jobs: generate-changelog: - # Defense-in-depth check - if: ${{ github.actor == 'dependabot[bot]' }} + # Defense-in-depth (in case the caller forgets): + # `github.actor` prevents recursive calls when `github-actions[bot]` pushes to the PR; + # `github.event.workflow_run.conclusion` only runs after a successful analysis workflow. + if: ${{ + github.actor == 'dependabot[bot]' + && github.event.workflow_run.conclusion == 'success' + }} runs-on: ubuntu-latest permissions: # The default GITHUB_TOKEN will be used to enable the "auto-merge" on the PR diff --git a/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml b/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml index 2b93745b..81aefb12 100644 --- a/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml +++ b/src/site/antora/modules/ROOT/examples/analyze-dependabot.yaml @@ -26,7 +26,12 @@ jobs: # tag::analyze-dependabot[] analyze-dependabot: - # Skip this workflow on PRs not created by Dependabot - if: ${{ github.repository == 'apache/logging-parent' && github.event.pull_request.user.login == 'dependabot[bot]' }} + # `github.actor` prevents recursive calls when `github-actions[bot]` pushes to the PR; + # `github.event.pull_request.user.login` skips PRs not opened by Dependabot. + if: ${{ + github.repository == 'apache/logging-parent' + && github.actor == 'dependabot[bot]' + && github.event.pull_request.user.login == 'dependabot[bot]' + }} uses: apache/logging-parent/.github/workflows/analyze-dependabot-reusable.yaml@rel/{project-version} # end::analyze-dependabot[]