From e681ceb41ef167483f7f203a3fcca028d69d0e7e Mon Sep 17 00:00:00 2001 From: Cory Hall <43035978+corymhall@users.noreply.github.com> Date: Tue, 14 Nov 2023 13:30:37 -0500 Subject: [PATCH] chore: enable auto-merge & merge-group (#11) Fixes # --- .gitattributes | 2 + .github/workflows/auto-approve.yml | 21 ++++++++++ .github/workflows/auto-merge.yml | 22 +++++++++++ .github/workflows/build.yml | 3 ++ .github/workflows/upgrade-main.yml | 3 +- .gitignore | 2 + .projen/files.json | 2 + .projenrc.ts | 63 +++++++++++++++++++++++++++++- package.json | 2 +- yarn.lock | 14 +++++-- 10 files changed, 126 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/auto-approve.yml create mode 100644 .github/workflows/auto-merge.yml diff --git a/.gitattributes b/.gitattributes index 69a90e3..8967b84 100644 --- a/.gitattributes +++ b/.gitattributes @@ -4,6 +4,8 @@ /.eslintrc.json linguist-generated /.gitattributes linguist-generated /.github/pull_request_template.md linguist-generated +/.github/workflows/auto-approve.yml linguist-generated +/.github/workflows/auto-merge.yml linguist-generated /.github/workflows/build.yml linguist-generated /.github/workflows/pull-request-lint.yml linguist-generated /.github/workflows/release.yml linguist-generated diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml new file mode 100644 index 0000000..8a346be --- /dev/null +++ b/.github/workflows/auto-approve.yml @@ -0,0 +1,21 @@ +# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". + +name: auto-approve +on: + pull_request_target: + types: + - labeled + - opened + - synchronize + - reopened + - ready_for_review +jobs: + approve: + runs-on: ubuntu-latest + permissions: + pull-requests: write + if: contains(github.event.pull_request.labels.*.name, 'auto-approve') && (github.event.pull_request.user.login == 'corymhall') + steps: + - uses: hmarr/auto-approve-action@v2.2.1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml new file mode 100644 index 0000000..e5d6b52 --- /dev/null +++ b/.github/workflows/auto-merge.yml @@ -0,0 +1,22 @@ +# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". + +name: auto-merge +on: + pull_request_target: + types: + - opened + - reopened + - ready_for_review +jobs: + enableAutoMerge: + name: "Set AutoMerge on PR #${{ github.event.number }}" + runs-on: ubuntu-latest + permissions: + pull-requests: write + contents: write + steps: + - uses: peter-evans/enable-pull-request-automerge@v2 + with: + token: ${{ secrets.GITHUB_TOKEN }} + pull-request-number: ${{ github.event.number }} + merge-method: SQUASH diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5779578..ca2db6e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,6 +4,9 @@ name: build on: pull_request: {} workflow_dispatch: {} + merge_group: + branches: + - main jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/upgrade-main.yml b/.github/workflows/upgrade-main.yml index ca287c3..8f040f7 100644 --- a/.github/workflows/upgrade-main.yml +++ b/.github/workflows/upgrade-main.yml @@ -4,7 +4,7 @@ name: upgrade-main on: workflow_dispatch: {} schedule: - - cron: 0 0 * * * + - cron: 0 0 * * 1 jobs: upgrade: name: Upgrade @@ -77,6 +77,7 @@ jobs: *Automatically created by projen via the "upgrade-main" workflow* branch: github-actions/upgrade-main title: "chore(deps): upgrade dependencies" + labels: auto-approve body: |- Upgrades project dependencies. See details in [workflow run]. diff --git a/.gitignore b/.gitignore index b601800..3513f91 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,7 @@ !/.projen/deps.json !/.projen/files.json !/.github/workflows/pull-request-lint.yml +!/.github/workflows/auto-approve.yml !/package.json !/LICENSE !/.npmignore @@ -49,3 +50,4 @@ junit.xml !/.eslintrc.json !/dist/ !/action.yml +!/.github/workflows/auto-merge.yml diff --git a/.projen/files.json b/.projen/files.json index 8f99809..263a208 100644 --- a/.projen/files.json +++ b/.projen/files.json @@ -3,6 +3,8 @@ ".eslintrc.json", ".gitattributes", ".github/pull_request_template.md", + ".github/workflows/auto-approve.yml", + ".github/workflows/auto-merge.yml", ".github/workflows/build.yml", ".github/workflows/pull-request-lint.yml", ".github/workflows/release.yml", diff --git a/.projenrc.ts b/.projenrc.ts index fcc30c7..1c37fb9 100644 --- a/.projenrc.ts +++ b/.projenrc.ts @@ -1,5 +1,5 @@ -import { typescript } from 'projen'; -import { Transform } from 'projen/lib/javascript'; +import { github, typescript } from 'projen'; +import { Transform, UpgradeDependenciesSchedule } from 'projen/lib/javascript'; import { JsonPatch } from 'projen/lib/json-patch'; import { GitHubActionTypeScriptProject, RunsUsing } from 'projen-github-action-typescript'; const project = new GitHubActionTypeScriptProject({ @@ -9,6 +9,16 @@ const project = new GitHubActionTypeScriptProject({ authorName: 'Cory Hall', name: 'cdk-diff-action', projenrcTs: true, + depsUpgradeOptions: { + workflowOptions: { + labels: ['auto-approve'], + schedule: UpgradeDependenciesSchedule.WEEKLY, + }, + }, + autoApproveOptions: { + label: 'auto-approve', + allowedUsernames: ['corymhall'], + }, actionMetadata: { author: 'Cory Hall', branding: { @@ -68,6 +78,7 @@ const project = new GitHubActionTypeScriptProject({ minNodeVersion: '18.12.0', }); + const projenProject = project as unknown as typescript.TypeScriptProject; const jestConfig = projenProject.tryFindObjectFile('jest.config.json'); jestConfig?.patch(JsonPatch.remove('/preset')); @@ -77,4 +88,52 @@ jestConfig?.patch(JsonPatch.add('/transform', { })); const actionYml = project.tryFindObjectFile('action.yml'); actionYml?.addOverride('runs.using', 'node20'); + +// setup merge queue +project.github?.tryFindWorkflow('build')?.on({ + mergeGroup: { + branches: ['main'], + }, +}); + +const autoMergeJob: github.workflows.Job = { + name: 'Set AutoMerge on PR #${{ github.event.number }}', + runsOn: ['ubuntu-latest'], + permissions: { + pullRequests: github.workflows.JobPermission.WRITE, + contents: github.workflows.JobPermission.WRITE, + }, + steps: [ + { + uses: 'peter-evans/enable-pull-request-automerge@v2', + with: { + 'token': '${{ secrets.GITHUB_TOKEN }}', + 'pull-request-number': '${{ github.event.number }}', + 'merge-method': 'SQUASH', + }, + }, + ], +}; + +const workflow = projenProject.github?.addWorkflow('auto-merge'); +workflow?.on({ + // The 'pull request' event gives the workflow 'read-only' permissions on some + // pull requests (such as the ones from dependabot) when using the `GITHUB_TOKEN` + // security token. This prevents the workflow from approving these pull requests. + // Github has placed this guard so as to prevent security attacks by simply opening + // a pull request and triggering a workflow on a commit that was not vetted to make + // unintended changes to the repository. + // + // Instead use the 'pull request target' event here that gives the Github workflow + // 'read-write' permissions. This is safe because, this event, unlike the 'pull request' + // event references the BASE commit of the pull request and not the HEAD commit. + // + // We only enable auto-merge when a PR is opened, reopened or moving from Draft to Ready. + // That way a user can always disable auto-merge if they want to and the workflow will + // not automatically re-enable it, unless one of the events occurs. + pullRequestTarget: { + types: ['opened', 'reopened', 'ready_for_review'], + }, +}); +workflow?.addJobs({ enableAutoMerge: autoMergeJob }); project.synth(); diff --git a/package.json b/package.json index 0cedc0d..bc8c186 100644 --- a/package.json +++ b/package.json @@ -45,7 +45,7 @@ "jest-junit": "^15", "mock-fs": "^5", "npm-check-updates": "^16", - "projen": "^0.76.0", + "projen": "^0.76.27", "projen-github-action-typescript": "^0.0.392", "standard-version": "^9", "ts-jest": "^29.1.1", diff --git a/yarn.lock b/yarn.lock index 73c386c..7c55497 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3021,6 +3021,11 @@ console-control-strings@^1.1.0: resolved "https://registry.yarnpkg.com/console-control-strings/-/console-control-strings-1.1.0.tgz#3d7cf4464db6446ea644bf4b39507f9851008e8e" integrity sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ== +constructs@^10.0.0: + version "10.3.0" + resolved "https://registry.yarnpkg.com/constructs/-/constructs-10.3.0.tgz#4c246fce9cf8e77711ad45944e9fbd41f1501965" + integrity sha512-vbK8i3rIb/xwZxSpTjz3SagHn1qq9BChLEfy5Hf6fB3/2eFbrwt2n9kHwQcS0CPTRBesreeAcsJfMq2229FnbQ== + conventional-changelog-angular@^5.0.12: version "5.0.13" resolved "https://registry.yarnpkg.com/conventional-changelog-angular/-/conventional-changelog-angular-5.0.13.tgz#896885d63b914a70d4934b59d2fe7bde1832b28c" @@ -6163,15 +6168,16 @@ projen@^0.72.28: yaml "^2.2.2" yargs "^17.7.2" -projen@^0.76.0: - version "0.76.0" - resolved "https://registry.yarnpkg.com/projen/-/projen-0.76.0.tgz#9e16e09f1fd873eb5df86c97b7f35645d13032c2" - integrity sha512-j5PFs/cLJhWtb6yTMxFBTgERLO8kPmKfTDKvvtgNwp33W8bykESiznPAEJVOyzpkxKxi9a7qq+jwwDovHK494w== +projen@^0.76.27: + version "0.76.27" + resolved "https://registry.yarnpkg.com/projen/-/projen-0.76.27.tgz#b3b4dace99ef22170b1f2e8a15a9b8a2e655a0e2" + integrity sha512-f/9MibFkrEk1KYIXcvYI9gWQgb0MU6Vhk/vB3L4CxUla8N5BvfihgWHRAlwTTRBiuwOE1/nQ7u/bskurugxCTw== dependencies: "@iarna/toml" "^2.2.5" case "^1.6.3" chalk "^4.1.2" comment-json "4.2.2" + constructs "^10.0.0" conventional-changelog-config-spec "^2.1.0" fast-json-patch "^3.1.1" glob "^8"