From c0e370526f0aafb417f8e5d5b2ac0b9db14c76fb Mon Sep 17 00:00:00 2001 From: ryoppippi <1560508+ryoppippi@users.noreply.github.com> Date: Tue, 23 Dec 2025 10:24:52 +0000 Subject: [PATCH 1/3] ci(deps): add Dependabot and automated dependency updates - Add Dependabot config for npm and GitHub Actions - Add auto-merge workflow for Dependabot PRs (minor/patch only) - Add scheduled Nix flake update workflow with auto-merge --- .github/dependabot.yaml | 47 +++++++++++++++ .github/workflows/dependabot-auto-merge.yaml | 48 +++++++++++++++ .github/workflows/nix-flake-update.yaml | 63 ++++++++++++++++++++ 3 files changed, 158 insertions(+) create mode 100644 .github/dependabot.yaml create mode 100644 .github/workflows/dependabot-auto-merge.yaml create mode 100644 .github/workflows/nix-flake-update.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..a9046b8 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,47 @@ +version: 2 +updates: + # npm dependencies (pnpm compatible) + - package-ecosystem: npm + directory: / + schedule: + interval: weekly + day: monday + time: '09:00' + timezone: Europe/London + open-pull-requests-limit: 10 + commit-message: + prefix: 'chore(deps)' + labels: + - dependencies + groups: + # Group minor and patch updates together + minor-and-patch: + patterns: + - '*' + update-types: + - minor + - patch + # Ignore major updates for stability (review manually) + ignore: + - dependency-name: '*' + update-types: + - version-update:semver-major + + # GitHub Actions dependencies + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + time: '09:00' + timezone: Europe/London + open-pull-requests-limit: 5 + commit-message: + prefix: 'ci(deps)' + labels: + - dependencies + - ci + groups: + actions: + patterns: + - '*' diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml new file mode 100644 index 0000000..0efc08f --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yaml @@ -0,0 +1,48 @@ +name: Dependabot auto-merge + +on: + pull_request: + types: + - opened + - synchronize + - reopened + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot-auto-merge: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Wait for CI to pass + uses: lewagon/wait-on-check-action@v1.3.4 + with: + ref: ${{ github.event.pull_request.head.sha }} + running-workflow-name: Dependabot auto-merge + repo-token: ${{ secrets.GITHUB_TOKEN }} + wait-interval: 30 + + # Enable auto-merge for minor/patch updates + # GitHub will wait for required checks and 3-day delay before merging + - name: Enable auto-merge for minor/patch updates + if: steps.metadata.outputs.update-type != 'version-update:semver-major' + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Add comment about merge delay + if: steps.metadata.outputs.update-type != 'version-update:semver-major' + run: | + gh pr comment "$PR_URL" --body "🤖 Auto-merge enabled. This PR will be merged automatically after CI passes and the 3-day waiting period (configured in branch protection rules)." + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/nix-flake-update.yaml b/.github/workflows/nix-flake-update.yaml new file mode 100644 index 0000000..294cba0 --- /dev/null +++ b/.github/workflows/nix-flake-update.yaml @@ -0,0 +1,63 @@ +name: 'Scheduled: Nix flake update' + +on: + schedule: + # Run every Monday at 09:00 UTC (same as Dependabot) + - cron: '0 9 * * 1' + workflow_dispatch: # Allow manual trigger + +permissions: + contents: write + pull-requests: write + +jobs: + update-flake: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + + - name: Update flake.lock + run: nix flake update + + - name: Check if flake.lock changed + id: check-changes + run: | + if git diff --quiet flake.lock; then + echo "changed=false" >> $GITHUB_OUTPUT + else + echo "changed=true" >> $GITHUB_OUTPUT + fi + + - name: Create Pull Request + id: create-pr + if: steps.check-changes.outputs.changed == 'true' + uses: peter-evans/create-pull-request@v7 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: 'chore(deps): update nix flake inputs' + title: 'chore(deps): update nix flake inputs' + body: | + ## Summary + - Automated update of Nix flake inputs (`nixpkgs`, `flake-parts`) + + ## Test plan + - [ ] `nix flake check` passes in CI + - [ ] Development shell works correctly + + --- + 🤖 This PR was automatically created by the scheduled Nix flake update workflow. + branch: chore/nix-flake-update + labels: | + dependencies + nix + delete-branch: true + + - name: Enable auto-merge + if: steps.create-pr.outputs.pull-request-number + run: gh pr merge --auto --squash "${{ steps.create-pr.outputs.pull-request-url }}" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 41d450702e143a4770811b33ba3ce464e11952fa Mon Sep 17 00:00:00 2001 From: ryoppippi <1560508+ryoppippi@users.noreply.github.com> Date: Tue, 23 Dec 2025 10:26:24 +0000 Subject: [PATCH 2/3] ci(nix): use setup-nix action for flake update workflow --- .github/workflows/nix-flake-update.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nix-flake-update.yaml b/.github/workflows/nix-flake-update.yaml index 294cba0..58a8875 100644 --- a/.github/workflows/nix-flake-update.yaml +++ b/.github/workflows/nix-flake-update.yaml @@ -17,8 +17,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Install Nix - uses: DeterminateSystems/nix-installer-action@main + - name: Setup Nix + uses: ./.github/actions/setup-nix - name: Update flake.lock run: nix flake update From a58e5bbb86fde63b7ea429f47ee5706b61bbd126 Mon Sep 17 00:00:00 2001 From: ryoppippi <1560508+ryoppippi@users.noreply.github.com> Date: Tue, 23 Dec 2025 10:26:53 +0000 Subject: [PATCH 3/3] ci: pin GitHub Actions with pinact --- .github/workflows/dependabot-auto-merge.yaml | 4 ++-- .github/workflows/nix-flake-update.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml index 0efc08f..1e97e70 100644 --- a/.github/workflows/dependabot-auto-merge.yaml +++ b/.github/workflows/dependabot-auto-merge.yaml @@ -18,12 +18,12 @@ jobs: steps: - name: Fetch Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Wait for CI to pass - uses: lewagon/wait-on-check-action@v1.3.4 + uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4 with: ref: ${{ github.event.pull_request.head.sha }} running-workflow-name: Dependabot auto-merge diff --git a/.github/workflows/nix-flake-update.yaml b/.github/workflows/nix-flake-update.yaml index 58a8875..04b5af5 100644 --- a/.github/workflows/nix-flake-update.yaml +++ b/.github/workflows/nix-flake-update.yaml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Nix uses: ./.github/actions/setup-nix @@ -35,7 +35,7 @@ jobs: - name: Create Pull Request id: create-pr if: steps.check-changes.outputs.changed == 'true' - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: 'chore(deps): update nix flake inputs'