From f2e75754940c724513f27eee374914928f43d78e Mon Sep 17 00:00:00 2001 From: Dylan Rogowsky Date: Thu, 27 Feb 2025 16:43:25 -0700 Subject: [PATCH] ALCS-2227: Configure dependabot Potential fix for code scanning alert no. 3: Expression injection in Actions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/dependabot.yml | 88 +++++++++++++++++++++ .github/workflows/auto-merge-dependabot.yml | 38 +++++++++ 2 files changed, 126 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/auto-merge-dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..fccf78cc1 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,88 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/alcs-frontend" + schedule: + interval: "daily" + target-branch: "develop" + commit-message: + prefix: "ALCS-000" + allow: + - dependency-type: "direct" + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] + groups: + npm-security: + applies-to: security-updates + patterns: + - "*" + update-types: + - "minor" + - "patch" + npm-minor-and-patch: + applies-to: version-updates + patterns: + - "*" + update-types: + - "minor" + - "patch" + - package-ecosystem: "npm" + directory: "/portal-frontend" + schedule: + interval: "daily" + target-branch: "develop" + commit-message: + prefix: "ALCS-000" + allow: + - dependency-type: "direct" + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] + groups: + npm-security: + applies-to: security-updates + patterns: + - "*" + update-types: + - "minor" + - "patch" + npm-minor-and-patch: + applies-to: version-updates + patterns: + - "*" + update-types: + - "minor" + - "patch" + - package-ecosystem: "npm" + directory: "/services" + schedule: + interval: "daily" + target-branch: "develop" + commit-message: + prefix: "ALCS-000" + allow: + - dependency-type: "direct" + ignore: + - dependency-name: "*" + update-types: ["version-update:semver-major"] + groups: + npm-security: + applies-to: security-updates + patterns: + - "*" + update-types: + - "minor" + - "patch" + npm-minor-and-patch: + applies-to: version-updates + patterns: + - "*" + update-types: + - "minor" + - "patch" diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml new file mode 100644 index 000000000..a02867e1e --- /dev/null +++ b/.github/workflows/auto-merge-dependabot.yml @@ -0,0 +1,38 @@ +name: Auto-merge Dependabot PRs + +on: + pull_request: + branches: + - develop + workflow_run: + workflows: ["CI"] + types: + - completed + +permissions: + contents: write + pull-requests: write + +jobs: + auto-merge: + runs-on: ubuntu-latest + if: | + github.actor == 'dependabot[bot]' && + github.event_name == 'workflow_run' && + github.event.workflow_run.conclusion == 'success' + steps: + - name: Auto-merge Dependabot PR + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }} + run: | + # Get PR number from branch name + PR_NUMBER=$(echo "$HEAD_BRANCH" | grep -o '[0-9]\+' || echo '') + + if [ -n "$PR_NUMBER" ]; then + # Approve PR + gh pr review $PR_NUMBER --approve + + # Enable auto-merge + gh pr merge $PR_NUMBER --auto --merge + fi \ No newline at end of file