Add repo-config auto-migration workflow#276
Conversation
Sync the repo-config migration workflow from v0.16.0 and update Dependabot grouping for repo-config and mkdocstrings. This lets repo-config Dependabot PRs use the migration workflow correctly by matching the expected template and avoiding wildcard issues with optional dependencies. Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
github-actions
bot
added
the
part:tooling
There was a problem hiding this comment.
Pull request overview
Adds a dedicated GitHub Actions workflow to run repo-config migrations on Dependabot “repo-config group” PRs, and adjusts Dependabot grouping patterns so repo-config and mkdocstrings updates are grouped/excluded as intended.
Changes:
- Introduces a
repo-config-migrationworkflow triggered viapull_request_target(andmerge_groupfor required-check compatibility) to run migrations and apply labels. - Refines Dependabot
pipgrouping/exclusion patterns forfrequenz-repo-config(and selected extras) andmkdocstrings.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/repo-config-migration.yaml | New workflow to migrate repo-config changes in Dependabot group PRs using a GitHub App token + migration action. |
| .github/dependabot.yml | Updates grouping/exclusion patterns to correctly handle repo-config and mkdocstrings updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if: | | ||
| github.event_name == 'pull_request_target' && | ||
| contains(github.event.pull_request.title, 'the repo-config group') | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Generate token | ||
| id: create-app-token | ||
| uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 | ||
| with: | ||
| app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} | ||
| private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} |
There was a problem hiding this comment.
Security: this workflow runs on pull_request_target and immediately generates a GitHub App token from secrets, but the job-level if only checks the PR title. Any external contributor could open a PR with a matching title and trigger this job, exposing a high-privilege token to an untrusted context (even if no PR code is checked out). Tighten the gating to ensure the PR itself was created by Dependabot (e.g., github.event.pull_request.user.login == 'dependabot[bot]', and optionally also validate head.ref/head.repo.full_name) before generating tokens or running the migrate action; also update the header comment that claims gating on github.actor to reflect the actual condition needed for labeled/unlabeled events.
| # The companion auto-dependabot workflow skips repo-config group PRs so | ||
| # they're handled exclusively by the migration workflow. |
There was a problem hiding this comment.
The header comment says the companion auto-dependabot workflow “skips repo-config group PRs”, but .github/workflows/auto-dependabot.yaml currently runs for all Dependabot PRs (dependency-type: 'all') with no title/group-based skip. Please either update the comment to match reality, or adjust the companion workflow so repo-config group PRs are actually excluded if that exclusivity is required.
| # The companion auto-dependabot workflow skips repo-config group PRs so | |
| # they're handled exclusively by the migration workflow. | |
| # This workflow runs migrations for Dependabot PRs that update the | |
| # repo-config group. |
| # Skip if it was triggered by the merge queue. We only need the workflow to | ||
| # be executed to meet the "Required check" condition for merging, but we | ||
| # don't need to actually run the job, having the job present as Skipped is | ||
| # enough. | ||
| if: | | ||
| github.event_name == 'pull_request_target' && | ||
| contains(github.event.pull_request.title, 'the repo-config group') | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Generate token | ||
| id: create-app-token | ||
| uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 | ||
| with: | ||
| app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} | ||
| private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} | ||
| - name: Migrate |
There was a problem hiding this comment.
The job is entirely skipped for merge_group events (if: github.event_name == 'pull_request_target' ...). If this workflow is configured as a required check for the merge queue, a skipped job may not satisfy branch protection/merge queue requirements. In this repo, release-notes-check.yml handles merge_group by running the job but conditionally skipping the step (job still concludes success). Consider a similar pattern here: let the job run on merge_group and short-circuit with a no-op success step, while keeping the migration steps gated to pull_request_target + Dependabot PRs.
| # Skip if it was triggered by the merge queue. We only need the workflow to | |
| # be executed to meet the "Required check" condition for merging, but we | |
| # don't need to actually run the job, having the job present as Skipped is | |
| # enough. | |
| if: | | |
| github.event_name == 'pull_request_target' && | |
| contains(github.event.pull_request.title, 'the repo-config group') | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Generate token | |
| id: create-app-token | |
| uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 | |
| with: | |
| app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} | |
| private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} | |
| - name: Migrate | |
| # Run for both pull_request_target and merge_group events. For merge_group | |
| # we only need the job to complete successfully as a required check; the | |
| # actual migration steps remain gated to pull_request_target events for | |
| # repo-config group Dependabot PRs. | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: No-op for merge queue | |
| if: github.event_name == 'merge_group' | |
| run: echo "Merge queue run: skipping repo-config migration steps." | |
| - name: Generate token | |
| if: | | |
| github.event_name == 'pull_request_target' && | |
| contains(github.event.pull_request.title, 'the repo-config group') | |
| id: create-app-token | |
| uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 | |
| with: | |
| app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} | |
| private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} | |
| - name: Migrate | |
| if: | | |
| github.event_name == 'pull_request_target' && | |
| contains(github.event.pull_request.title, 'the repo-config group') |
Summary
repo-config-migration.yamlwith the exactfrequenz-repo-config-pythonv0.16.0templatefrequenz-repo-configandmkdocstrings