diff --git a/.github/workflows/allowlist.json b/.github/workflows/allowlist.json deleted file mode 100644 index 5b4cc323e94..00000000000 --- a/.github/workflows/allowlist.json +++ /dev/null @@ -1,26 +0,0 @@ -[ - { - "name": "sigs.k8s.io/kustomize/kyaml", - "reason": "the library is only used for CI not in production" - }, - { - "name": "github.com/xlab/treeprint", - "reason": "the library is only used in tests" - }, - { - "name": "github.com/aws/aws-sdk-go", - "reason": "the library is quite stable" - }, - { - "name": "github.com/stretchr/testify", - "reason": "the library is only used in tests" - }, - { - "name": "github.com/hashicorp/golang-lru/v2", - "reason": "stable library, getting bugfixes" - }, - { - "name": "github.com/google/uuid", - "reason": "stable library, getting bugfixes" - } -] \ No newline at end of file diff --git a/.github/workflows/dependabot_reviewer.yml b/.github/workflows/dependabot_reviewer.yml deleted file mode 100644 index 03bbf286321..00000000000 --- a/.github/workflows/dependabot_reviewer.yml +++ /dev/null @@ -1,83 +0,0 @@ -# Auto-merge as documented in official Github docs -# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions - -name: Auto-review Dependabot PRs -on: pull_request_target - -permissions: - pull-requests: write - contents: write - -jobs: - dependabot-reviewer: - runs-on: ubuntu-latest - - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} - - steps: - - name: Checkout Repository - uses: actions/checkout@v4 - - - name: Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@v2.2.0 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - - - name: Check allowlist - id: check-allowlist - if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' - run: | - cfg_path=".github/workflows/allowlist.json" - IFS=', ' read -r -a libsUpdated <<< "${{ steps.metadata.outputs.dependency-names }}" - # Loop through the array to make sure all updated libraries are in the allowlist - all_in_allowlist="true" - reason_array=() - - # If any element is not in the allowlist, set the flag to false - for lib in "${libsUpdated[@]}"; do - exists=$(jq --arg lib "$lib" 'any(.[]; .name == $lib)' $cfg_path) - if [[ "$exists" != "true" ]]; then - all_in_allowlist="false" - break - else - reason_array+=("$(jq -r --arg lib "$lib" '.[] | select(.name == $lib) | .reason' $cfg_path)") - fi - done - - if [[ "$all_in_allowlist" == "true" ]]; then - reasons=$(IFS=','; echo "${reason_array[*]}") - echo "reasons=$reasons" >> $GITHUB_OUTPUT - echo "allInAllowlist=true" >> $GITHUB_OUTPUT - else - echo "allInAllowlist=false" >> $GITHUB_OUTPUT - fi - - - name: Approve and auto-merge - if: steps.check-allowlist.conclusion == 'success' && steps.check-allowlist.outputs.allInAllowlist == 'true' - run: | - gh pr merge --auto --squash "$PR_URL" - gh pr review $PR_URL \ - --approve -b "**I'm approving** this pull request because it includes a patch or minor \ - update to dependencies that are already in the allowlist. - - The reason this library is in the allowlist is that ${{ steps.check-allowlist.outputs.reasons}}" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GH_BOT_ACCESS_TOKEN}} - - - name: Manual review is required - if: steps.check-allowlist.conclusion != 'success' || steps.check-allowlist.outputs.allInAllowlist == 'false' - run: | - gh pr comment $PR_URL --body "**This library is not auto-approved** - - Unfortunately, this library is a major version update or it is not included in our allowlist, which means it cannot be auto-approved. \ - If you believe it should be considered for auto-approval, please open a pull request to add \ - it to the allowlist configuration. - - To add this library to the allowlist, please modify the [allowlist.json](https://github.com/grafana/mimir/tree/main/.github/workflows/allowlist.json) file and \ - include the necessary details for review." - - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file diff --git a/.github/workflows/grafanabot_reviewer.yml b/.github/workflows/grafanabot_reviewer.yml new file mode 100644 index 00000000000..00ba6560ce1 --- /dev/null +++ b/.github/workflows/grafanabot_reviewer.yml @@ -0,0 +1,36 @@ +name: Auto-review Grafanabot PRs +on: pull_request_target + +permissions: + pull-requests: write + contents: write + +jobs: + dependabot-reviewer: + runs-on: ubuntu-latest + + if: ${{ github.event.pull_request.user.login == 'grafanabot' }} + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Approve and auto-merge + id: auto-merge + if: contains(github.event.pull_request.head.ref, 'helm-chart-weekly-') + run: | + gh pr merge --auto --squash "$PR_URL" + gh pr review $PR_URL \ + --approve -b "**I'm approving** this pull request, since it is a helm release." + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GH_BOT_ACCESS_TOKEN}} + + - name: Manual review is required + if: steps.auto-merge.conclusion != 'success' + run: | + gh pr comment $PR_URL --body "**This PR from grafanabot requires manual review.**" + + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file