ci: Auto-update composite actions automatically (#5248)

.github/dependabot.yaml

@@ -44,4 +44,129 @@ updates:
       # xref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
       website-deps:
         patterns:
-          - "*"
+          - "*"
+  # Everything under this line is currently auto-generated by hack/github/dependabot.sh
+  # This needs to be generated since composite actions are currently not supported for auto-updates
+  # through dependabot without explicitly setting their directory: https://github.com/dependabot/dependabot-core/issues/6704
+  # If you need to make a change to this file, ensure that you make a change to hack/github/dependabot.sh first
+  # That script assumes that the number of elements above this line is static and bases the append operation on it
+  - package-ecosystem: github-actions
+    directory: .github/actions/authenticate-ghcr
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/commit-status/end
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/commit-status/start
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/download-artifact
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/e2e/cleanup
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/e2e/dump-logs
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/e2e/install-eksctl
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/e2e/install-helm
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/e2e/install-karpenter
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/e2e/install-prometheus
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/e2e/setup-cluster
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/e2e/slack/notify
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/e2e/slack/send-message
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/e2e/upgrade-crds
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'
+  - package-ecosystem: github-actions
+    directory: .github/actions/install-deps
+    schedule:
+      interval: weekly
+    groups:
+      action-deps:
+        patterns:
+          - '*'

Makefile

@@ -108,6 +108,7 @@ verify: tidy download ## Verify code. Includes dependencies, linting, formatting
 	cp  $(KARPENTER_CORE_DIR)/pkg/apis/crds/* pkg/apis/crds
 	hack/validation/requirements.sh
 	hack/validation/labels.sh
+	hack/github/dependabot.sh
 	$(foreach dir,$(MOD_DIRS),cd $(dir) && golangci-lint run $(newline))
 	@git diff --quiet ||\
 		{ echo "New file modification detected in the Git working tree. Please check in before commit."; git --no-pager diff --name-only | uniq | awk '{print "  - " $$0}'; \

hack/github/dependabot.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script ensures that we get all the directories that contain an "action.yaml" composite action
+# and make sure that we have a dependabot entry for them. Currently, dependabot doesn't support wildcarding
+# composite actions in a way that enables us to set a single entry for them. Instead, you need to grab all directories
+# that contain actions that you want to auto-update and add an entry for each one in "dependabot.yaml"
+# https://github.com/dependabot/dependabot-core/issues/6704
+
+DIRS=($(find .github/actions -name "action.yaml" -type f -print0 | xargs -0 dirname | sort))
+i=3 # Set the index to the starting index after all of the manually configured dependabot entries
+for DIR in "${DIRS[@]}"; do
+  i=$i dir=$DIR yq -i '.updates[env(i)] = {"package-ecosystem": "github-actions", "directory": env(dir), "schedule": {"interval": "weekly"}, "groups": {"action-deps": {"patterns": ["*"]}}}' .github/dependabot.yaml
+  i=$((i+1))
+done