chore: try Dependabot for security updates (#139)

Security would like everyone to turn on Dependabot for security updates if possible. This is me trying this out for a Projen-based repo to see how well they play with each other. See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file for more details.
cdktf · Aug 24, 2023 · d354d32 · d354d32
1 parent c54d869
commit d354d32
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 7 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,20 @@
+# NOTE: This file is not managed by Projen because if you enable Dependabot through Projen,
+# it will delete the upgrade-main job and expect you to only use Dependabot for updates.
+# That is not what we want either; we just want to use Dependabot for security updates.
+
+version: 2
+updates:
+  - package-ecosystem: npm
+    versioning-strategy: lockfile-only
+    directory: /
+    schedule:
+      interval: daily
+    ignore:
+      - dependency-name: projen
+    labels:
+      - auto-approve
+      - automerge
+      - dependencies
+      - security
+    # Disable version updates for npm dependencies, only use Dependabot for security updates
+    open-pull-requests-limit: 0
diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
diff --git a/projenrc/auto-approve.ts b/projenrc/auto-approve.ts
@@ -24,6 +24,7 @@ export class AutoApprove {
     workflow.addJobs({
       approve: {
         runsOn: ["ubuntu-latest"],
+        if: "contains(github.event.pull_request.labels.*.name, 'auto-approve')",
         steps: [
           {
             name: "Checkout PR",
@@ -36,15 +37,15 @@ export class AutoApprove {
           },
           {
             name: "Auto-approve PRs by other users as team-tf-cdk",
-            if: "contains(github.event.pull_request.labels.*.name, 'auto-approve') && (github.event.pull_request.user.login != 'team-tf-cdk')",
+            if: "github.event.pull_request.user.login != 'team-tf-cdk'",
             run: "gh pr review ${{ github.event.pull_request.number }} --approve",
             env: {
               GH_TOKEN: "${{ secrets.PROJEN_GITHUB_TOKEN }}",
             },
           },
           {
             name: "Auto-approve PRs by team-tf-cdk as github-actions[bot]",
-            if: "contains(github.event.pull_request.labels.*.name, 'auto-approve') && (github.event.pull_request.user.login == 'team-tf-cdk')",
+            if: "github.event.pull_request.user.login == 'team-tf-cdk'",
             run: "gh pr review ${{ github.event.pull_request.number }} --approve",
             env: {
               GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}",

diff --git a/yarn.lock b/yarn.lock