From ca477050dece8e0f4a628abad67ad79e084a298f Mon Sep 17 00:00:00 2001 From: Chris Sidi Date: Wed, 17 Jul 2024 11:09:50 -0400 Subject: [PATCH 1/2] fix: Use `include-workspace-root` for `/main` in Post Dependabot (#462) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `steps.metadata.outputs.directory` is set to `/main`, not `/`, when `package.json` is at the root of the repository. I suspect adding `target-branch` to `dependabot.yml` (#330) added a `main` segment to Dependabot PR branch names, which changed the value of `steps.metadata.outputs.directory`. By fixing this issue, we shouldn't need to routinely use stafftools to fix up template-oss Dependabot PRs. 🤞🏼 I couldn't quickly find a `bump @npmcli/template-oss` Dependabot PR for a workspace to inspect `steps.metadata.outputs.directory` and fix workspaces support. If that's important, we may want to either enable Dependabot for `npm/cli` or create a separate `template-oss-test` repo. It's not clear if Dependabot will create a PR for `workspace/test-workspace` upon our next release. ### Example Dependabot PR branch names The first PR updates just `@npmcli/template-oss`. The second updates multiple dependencies including `@npmcli/template-oss`. PR | branch name | segments | steps.metadata.outputs.directory -|-|-|- https://github.com/npm/agent/pull/110 | `dependabot/npm_and_yarn/main/npmcli/template-oss-4.23.0` | 5 | `/main` https://github.com/npm/statusboard/pull/877 | `dependabot/npm_and_yarn/main/dependency-updates-4de8b5bfcf` | 4 | `/` ## References Failed "Post Dependabot" run: https://github.com/npm/agent/actions/runs/9963674341/job/27530225303 Fix manually tested here: https://github.com/npm/agent/pull/110/commits/ef85b0854e5ee9c26c289ceeba083edc3339a2bb [branchNameToDirectoryName](https://github.com/dependabot/fetch-metadata/blob/ffa2dc8ffecf17d26f6a81b83f9ef5edd33ba93a/src/dependabot/update_metadata.ts#L31) Bug report: https://github.com/dependabot/fetch-metadata/issues/540 --- .github/actions/create-check/action.yml | 2 +- .github/actions/install-latest-npm/action.yml | 2 +- .github/workflows/post-dependabot.yml | 2 +- SECURITY.md | 2 +- lib/content/SECURITY-md.hbs | 2 +- lib/content/action-create-check-yml.hbs | 2 +- lib/content/action-install-latest-npm-yml.hbs | 2 +- lib/content/post-dependabot-yml.hbs | 5 ++--- lib/util/dependabot.js | 2 +- .../test/apply/source-snapshots.js.test.cjs | 22 +++++++++---------- 10 files changed, 21 insertions(+), 22 deletions(-) diff --git a/.github/actions/create-check/action.yml b/.github/actions/create-check/action.yml index aa24a5b0..d1220c90 100644 --- a/.github/actions/create-check/action.yml +++ b/.github/actions/create-check/action.yml @@ -25,7 +25,7 @@ runs: with: result-encoding: string script: | - const { repo: { owner, repo}, runId, serverUrl } = context + const { repo: { owner, repo}, runId, serverUrl } = context const { JOB_NAME, SHA } = process.env const job = await github.rest.actions.listJobsForWorkflowRun({ diff --git a/.github/actions/install-latest-npm/action.yml b/.github/actions/install-latest-npm/action.yml index 8339dbf0..580603dd 100644 --- a/.github/actions/install-latest-npm/action.yml +++ b/.github/actions/install-latest-npm/action.yml @@ -44,7 +44,7 @@ runs: MATCH=$SPEC echo "Found compatible version: npm@$MATCH" break - fi + fi done if [ -z $MATCH ]; then diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml index a7ebe12d..1ea8693c 100644 --- a/.github/workflows/post-dependabot.yml +++ b/.github/workflows/post-dependabot.yml @@ -49,7 +49,7 @@ jobs: id: flags run: | dependabot_dir="${{ steps.metadata.outputs.directory }}" - if [[ "$dependabot_dir" == "/" ]]; then + if [[ "$dependabot_dir" == "/" || "$dependabot_dir" == "/main" ]]; then echo "workspace=-iwr" >> $GITHUB_OUTPUT else # strip leading slash from directory so it works as a diff --git a/SECURITY.md b/SECURITY.md index 9cd2deaf..4fe06a2a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,7 @@ GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). -If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. +If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly through [opensource-security@github.com](mailto:opensource-security@github.com). diff --git a/lib/content/SECURITY-md.hbs b/lib/content/SECURITY-md.hbs index 2a877aa8..79276315 100644 --- a/lib/content/SECURITY-md.hbs +++ b/lib/content/SECURITY-md.hbs @@ -1,6 +1,6 @@ GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). -If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. +If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly through [opensource-security@github.com](mailto:opensource-security@github.com). diff --git a/lib/content/action-create-check-yml.hbs b/lib/content/action-create-check-yml.hbs index 1ac91f97..fe8f10dc 100644 --- a/lib/content/action-create-check-yml.hbs +++ b/lib/content/action-create-check-yml.hbs @@ -23,7 +23,7 @@ runs: with: result-encoding: string script: | - const { repo: { owner, repo}, runId, serverUrl } = context + const { repo: { owner, repo}, runId, serverUrl } = context const { JOB_NAME, SHA } = process.env const job = await github.rest.actions.listJobsForWorkflowRun({ diff --git a/lib/content/action-install-latest-npm-yml.hbs b/lib/content/action-install-latest-npm-yml.hbs index ee423487..c986c18e 100644 --- a/lib/content/action-install-latest-npm-yml.hbs +++ b/lib/content/action-install-latest-npm-yml.hbs @@ -42,7 +42,7 @@ runs: MATCH=$SPEC echo "Found compatible version: npm@$MATCH" break - fi + fi done if [ -z $MATCH ]; then diff --git a/lib/content/post-dependabot-yml.hbs b/lib/content/post-dependabot-yml.hbs index 46cfdc58..6842e490 100644 --- a/lib/content/post-dependabot-yml.hbs +++ b/lib/content/post-dependabot-yml.hbs @@ -26,7 +26,7 @@ jobs: id: flags run: | dependabot_dir="$\{{ steps.metadata.outputs.directory }}" - if [[ "$dependabot_dir" == "/" ]]; then + if [[ "$dependabot_dir" == "/" || "$dependabot_dir" == "/{{ releaseBranch }}" ]]; then echo "workspace=-iwr" >> $GITHUB_OUTPUT else # strip leading slash from directory so it works as a @@ -64,7 +64,7 @@ jobs: run: | git commit -am "$\{{ steps.apply.outputs.message }}" git push - + # If the previous step failed, then reset the commit and remove any workflow changes # and attempt to commit and push again. This is helpful because we will have a commit # with the correct prefix that we can then --amend with @npmcli/stafftools later. @@ -98,4 +98,3 @@ jobs: echo "This PR has a breaking change. Run 'npx -p @npmcli/stafftools gh template-oss-fix'" echo "for more information on how to fix this with a BREAKING CHANGE footer." exit 1 - diff --git a/lib/util/dependabot.js b/lib/util/dependabot.js index 38f4dd8e..5e0df40c 100644 --- a/lib/util/dependabot.js +++ b/lib/util/dependabot.js @@ -1,7 +1,7 @@ const { name: NAME } = require('../../package.json') const { minimatch } = require('minimatch') -const parseDependabotConfig = v => (typeof v === 'string' ? { strategy: v } : v ?? {}) +const parseDependabotConfig = v => (typeof v === 'string' ? { strategy: v } : (v ?? {})) module.exports = (config, defaultConfig, branches) => { const { dependabot } = config diff --git a/tap-snapshots/test/apply/source-snapshots.js.test.cjs b/tap-snapshots/test/apply/source-snapshots.js.test.cjs index 27e0be01..667ebcf9 100644 --- a/tap-snapshots/test/apply/source-snapshots.js.test.cjs +++ b/tap-snapshots/test/apply/source-snapshots.js.test.cjs @@ -72,7 +72,7 @@ runs: with: result-encoding: string script: | - const { repo: { owner, repo}, runId, serverUrl } = context + const { repo: { owner, repo}, runId, serverUrl } = context const { JOB_NAME, SHA } = process.env const job = await github.rest.actions.listJobsForWorkflowRun({ @@ -146,7 +146,7 @@ runs: MATCH=$SPEC echo "Found compatible version: npm@$MATCH" break - fi + fi done if [ -z $MATCH ]; then @@ -725,7 +725,7 @@ jobs: id: flags run: | dependabot_dir="\${{ steps.metadata.outputs.directory }}" - if [[ "$dependabot_dir" == "/" ]]; then + if [[ "$dependabot_dir" == "/" || "$dependabot_dir" == "/main" ]]; then echo "workspace=-iwr" >> $GITHUB_OUTPUT else # strip leading slash from directory so it works as a @@ -1414,7 +1414,7 @@ SECURITY.md GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). -If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. +If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly through [opensource-security@github.com](mailto:opensource-security@github.com). @@ -1512,7 +1512,7 @@ runs: with: result-encoding: string script: | - const { repo: { owner, repo}, runId, serverUrl } = context + const { repo: { owner, repo}, runId, serverUrl } = context const { JOB_NAME, SHA } = process.env const job = await github.rest.actions.listJobsForWorkflowRun({ @@ -1586,7 +1586,7 @@ runs: MATCH=$SPEC echo "Found compatible version: npm@$MATCH" break - fi + fi done if [ -z $MATCH ]; then @@ -2383,7 +2383,7 @@ jobs: id: flags run: | dependabot_dir="\${{ steps.metadata.outputs.directory }}" - if [[ "$dependabot_dir" == "/" ]]; then + if [[ "$dependabot_dir" == "/" || "$dependabot_dir" == "/main" ]]; then echo "workspace=-iwr" >> $GITHUB_OUTPUT else # strip leading slash from directory so it works as a @@ -3099,7 +3099,7 @@ SECURITY.md GitHub takes the security of our software products and services seriously, including the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub). -If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. +If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly through [opensource-security@github.com](mailto:opensource-security@github.com). @@ -3300,7 +3300,7 @@ runs: with: result-encoding: string script: | - const { repo: { owner, repo}, runId, serverUrl } = context + const { repo: { owner, repo}, runId, serverUrl } = context const { JOB_NAME, SHA } = process.env const job = await github.rest.actions.listJobsForWorkflowRun({ @@ -3374,7 +3374,7 @@ runs: MATCH=$SPEC echo "Found compatible version: npm@$MATCH" break - fi + fi done if [ -z $MATCH ]; then @@ -3907,7 +3907,7 @@ jobs: id: flags run: | dependabot_dir="\${{ steps.metadata.outputs.directory }}" - if [[ "$dependabot_dir" == "/" ]]; then + if [[ "$dependabot_dir" == "/" || "$dependabot_dir" == "/main" ]]; then echo "workspace=-iwr" >> $GITHUB_OUTPUT else # strip leading slash from directory so it works as a From 4ef5cf6be626cb5265486420634ad231832540ab Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 17 Jul 2024 08:29:17 -0700 Subject: [PATCH 2/2] chore: release 4.23.1 (#463) :robot: I have created a release *beep* *boop* --- ## [4.23.1](https://github.com/npm/template-oss/compare/v4.23.0...v4.23.1) (2024-07-17) ### Bug Fixes * [`ca47705`](https://github.com/npm/template-oss/commit/ca477050dece8e0f4a628abad67ad79e084a298f) [#462](https://github.com/npm/template-oss/pull/462) Use `include-workspace-root` for `/main` in Post Dependabot (#462) (@hashtagchris) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .release-please-manifest.json | 2 +- CHANGELOG.md | 6 ++++++ package.json | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.release-please-manifest.json b/.release-please-manifest.json index 6d801fc2..4bf86e39 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "4.23.0" + ".": "4.23.1" } diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c3b14cb..51b6f84c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## [4.23.1](https://github.com/npm/template-oss/compare/v4.23.0...v4.23.1) (2024-07-17) + +### Bug Fixes + +* [`ca47705`](https://github.com/npm/template-oss/commit/ca477050dece8e0f4a628abad67ad79e084a298f) [#462](https://github.com/npm/template-oss/pull/462) Use `include-workspace-root` for `/main` in Post Dependabot (#462) (@hashtagchris) + ## [4.23.0](https://github.com/npm/template-oss/compare/v4.22.0...v4.23.0) (2024-06-27) ### Features diff --git a/package.json b/package.json index e1a0b0bd..518dfb26 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@npmcli/template-oss", - "version": "4.23.0", + "version": "4.23.1", "description": "templated files used in npm CLI team oss projects", "main": "lib/content/index.js", "bin": {