diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..72a05a86 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,50 @@ +# This file is automatically added by @npmcli/template-oss. Do not edit. + +version: 2 + +updates: + - package-ecosystem: npm + directory: / + schedule: + interval: daily + target-branch: "main" + allow: + - dependency-type: direct + versioning-strategy: increase-if-necessary + commit-message: + prefix: deps + prefix-development: chore + labels: + - "Dependencies" + - package-ecosystem: npm + directory: / + schedule: + interval: daily + target-branch: "release/v5" + allow: + - dependency-type: direct + dependency-name: "@npmcli/template-oss" + versioning-strategy: increase-if-necessary + commit-message: + prefix: deps + prefix-development: chore + labels: + - "Dependencies" + - "Backport" + - "release/v5" + - package-ecosystem: npm + directory: / + schedule: + interval: daily + target-branch: "release/v6" + allow: + - dependency-type: direct + dependency-name: "@npmcli/template-oss" + versioning-strategy: increase-if-necessary + commit-message: + prefix: deps + prefix-development: chore + labels: + - "Dependencies" + - "Backport" + - "release/v6" diff --git a/.github/settings.yml b/.github/settings.yml deleted file mode 100644 index adbef7e6..00000000 --- a/.github/settings.yml +++ /dev/null @@ -1,52 +0,0 @@ -# This file is automatically added by @npmcli/template-oss. Do not edit. - -repository: - allow_merge_commit: false - allow_rebase_merge: true - allow_squash_merge: true - squash_merge_commit_title: PR_TITLE - squash_merge_commit_message: PR_BODY - delete_branch_on_merge: true - enable_automated_security_fixes: true - enable_vulnerability_alerts: true - -branches: - - name: main - protection: - required_status_checks: null - enforce_admins: true - required_pull_request_reviews: - required_approving_review_count: 1 - require_code_owner_reviews: true - require_last_push_approval: true - dismiss_stale_reviews: true - restrictions: - apps: [] - users: [] - teams: [ "cli-team" ] - - name: latest - protection: - required_status_checks: null - enforce_admins: true - required_pull_request_reviews: - required_approving_review_count: 1 - require_code_owner_reviews: true - require_last_push_approval: true - dismiss_stale_reviews: true - restrictions: - apps: [] - users: [] - teams: [ "cli-team" ] - - name: release/v* - protection: - required_status_checks: null - enforce_admins: true - required_pull_request_reviews: - required_approving_review_count: 1 - require_code_owner_reviews: true - require_last_push_approval: true - dismiss_stale_reviews: true - restrictions: - apps: [] - users: [] - teams: [ "cli-team" ] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11b02c0d..5335bc0b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,6 @@ on: push: branches: - main - - latest - release/v* schedule: # "At 09:00 UTC (02:00 PT) on Monday" https://crontab.guru/#0_9_*_*_1 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 21244879..9fb3f79a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,12 +6,10 @@ on: push: branches: - main - - latest - release/v* pull_request: branches: - main - - latest - release/v* schedule: # "At 10:00 UTC (03:00 PT) on Monday" https://crontab.guru/#0_10_*_*_1 diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml new file mode 100644 index 00000000..e8b1cf8a --- /dev/null +++ b/.github/workflows/post-dependabot.yml @@ -0,0 +1,124 @@ +# This file is automatically added by @npmcli/template-oss. Do not edit. + +name: Post Dependabot + +on: pull_request + +permissions: + contents: write + +jobs: + template-oss: + name: template-oss + if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + - name: Setup Git User + run: | + git config --global user.email "npm-cli+bot@github.com" + git config --global user.name "npm CLI robot" + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: 18.x + - name: Remove Template-OSS + if: matrix && matrix.node-version == '6.17.1' + run: | + # template-oss cannot be installed on older npms because there are transient deps + # that use "npm:" aliases which are not supported + jq 'del(.devDependencies["@npmcli/template-oss"])' package.json > package.json-update + mv package.json-update package.json + - name: Install Dependencies + run: npm i --ignore-scripts --no-audit --no-fund + - name: Fetch Dependabot Metadata + id: metadata + uses: dependabot/fetch-metadata@v1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + # Dependabot can update multiple directories so we output which directory + # it is acting on so we can run the command for the correct root or workspace + - name: Get Dependabot Directory + if: contains(steps.metadata.outputs.dependency-names, '@npmcli/template-oss') + id: flags + run: | + dependabot_dir="${{ steps.metadata.outputs.directory }}" + if [[ "$dependabot_dir" == "/" ]]; then + echo "workspace=-iwr" >> $GITHUB_OUTPUT + else + # strip leading slash from directory so it works as a + # a path to the workspace flag + echo "workspace=-w ${dependabot_dir#/}" >> $GITHUB_OUTPUT + fi + + - name: Apply Changes + if: steps.flags.outputs.workspace + id: apply + run: | + npm run template-oss-apply ${{ steps.flags.outputs.workspace }} + if [[ `git status --porcelain` ]]; then + echo "changes=true" >> $GITHUB_OUTPUT + fi + # This only sets the conventional commit prefix. This workflow can't reliably determine + # what the breaking change is though. If a BREAKING CHANGE message is required then + # this PR check will fail and the commit will be amended with stafftools + if [[ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-major" ]]; then + prefix='feat!' + else + prefix='chore' + fi + echo "message=$prefix: postinstall for dependabot template-oss PR" >> $GITHUB_OUTPUT + + # This step will fail if template-oss has made any workflow updates. It is impossible + # for a workflow to update other workflows. In the case it does fail, we continue + # and then try to apply only a portion of the changes in the next step + - name: Push All Changes + if: steps.apply.outputs.changes + id: push + continue-on-error: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + git commit -am "${{ steps.apply.outputs.message }}" + git push + + # If the previous step failed, then reset the commit and remove any workflow changes + # and attempt to commit and push again. This is helpful because we will have a commit + # with the correct prefix that we can then --amend with @npmcli/stafftools later. + - name: Push All Changes Except Workflows + if: steps.apply.outputs.changes && steps.push.outcome == 'failure' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + git reset HEAD~ + git checkout HEAD -- .github/workflows/ + git clean -fd .github/workflows/ + git commit -am "${{ steps.apply.outputs.message }}" + git push + + # Check if all the necessary template-oss changes were applied. Since we continued + # on errors in one of the previous steps, this check will fail if our follow up + # only applied a portion of the changes and we need to followup manually. + # + # Note that this used to run `lint` and `postlint` but that will fail this action + # if we've also shipped any linting changes separate from template-oss. We do + # linting in another action, so we want to fail this one only if there are + # template-oss changes that could not be applied. + - name: Check Changes + if: steps.apply.outputs.changes + run: | + npm exec --offline ${{ steps.flags.outputs.workspace }} -- template-oss-check + + - name: Fail on Breaking Change + if: steps.apply.outputs.changes && startsWith(steps.apply.outputs.message, 'feat!') + run: | + echo "This PR has a breaking change. Run 'npx -p @npmcli/stafftools gh template-oss-fix'" + echo "for more information on how to fix this with a BREAKING CHANGE footer." + exit 1 diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index ad7fb0de..0d9ac695 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -50,4 +50,4 @@ jobs: env: PR_TITLE: ${{ github.event.pull_request.title }} run: | - echo '$PR_TITLE' | npx --offline commitlint -V + echo "$PR_TITLE" | npx --offline commitlint -V diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 96195497..b24fcb57 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,6 @@ on: push: branches: - main - - latest - release/v* permissions: diff --git a/package.json b/package.json index c2bde6f2..c8863354 100644 --- a/package.json +++ b/package.json @@ -33,6 +33,6 @@ "templateOSS": { "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.", "content": "./scripts/template-oss", - "version": "4.17.0" + "version": "4.18.0" } } diff --git a/scripts/template-oss/index.js b/scripts/template-oss/index.js index 8e655e01..75d94efb 100644 --- a/scripts/template-oss/index.js +++ b/scripts/template-oss/index.js @@ -11,7 +11,6 @@ module.exports = { macCI: false, updateNpm: false, eslint: false, - dependabot: false, oldNode: OLD_NODE, ciVersions: [ OLD_NODE, @@ -21,12 +20,17 @@ module.exports = { '/range.bnf', '/semver.js', ], + rootRepo: { + add: { + '.github/settings.yml': false + } + }, rootModule: { add: { 'package.json': { file: './pkg.json', overwrite: false - } + }, } } }