Batch Dependabot PRs

rosstimothy · rosstimothy · commit 00034ebf17d8 · 2023-01-04T13:59:47.000-05:00
Leverages https://github.com/Legal-and-General/dependabot-batcher to create and/or maintain a merged PR (and branch) of all the Dependabot PRs and close them as they are merged in, leaving a single Dependabot PR behind. The Dependabot schedule is set for Sunday at 9:00am and the batcher workflow is configured to run Sunday at 9:00pm. All workflows that run on pull requests open have been configured to ignore branches prefixed with `dependabot/`. Since the dependabot PRs are all going to be closed and batched there is no need to waste CI minutes on them. Any new workflows will require the same check to prevent running on dependabot PRs.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+      day: "sunday"
+      time: "09:00" # 9am UTC
     ignore:
       # Deprecated APIs, requires manual changes.
       # TODO(xacrimon): Update Firestore and solve deprecations.
@@ -43,6 +45,8 @@ updates:
     directory: "/api"
     schedule:
       interval: weekly
+      day: "sunday"
+      time: "09:00" # 9am UTC
     ignore:
       # TODO(codingllama): Allow /x/crypto updates after upstream patch.
       - dependency-name: golang.org/x/crypto
@@ -58,6 +62,8 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+      day: "sunday"
+      time: "09:00" # 9am UTC
     open-pull-requests-limit: 10
     reviewers:
       - codingllama
@@ -68,6 +74,8 @@ updates:
     directory: "/lib/srv/desktop/rdp/rdpclient"
     schedule:
       interval: weekly
+      day: "sunday"
+      time: "09:00" # 9am UTC
     open-pull-requests-limit: 10
     reviewers:
       - codingllama
diff --git a/.github/workflows/assign.yaml b/.github/workflows/assign.yaml
@@ -30,7 +30,7 @@ permissions:
 jobs:
   auto-request-review:
     name: Auto Request Review
-    if: ${{ !github.event.pull_request.draft }}
+    if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
       # Checkout main branch of shared-workflow repository.
diff --git a/.github/workflows/build-macos.yaml b/.github/workflows/build-macos.yaml
@@ -29,6 +29,7 @@ on:
 jobs:
   build:
     name: Build on Mac OS
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: macos-12 # TODO(r0mant): Update with large runner when it's available
 
     permissions:
diff --git a/.github/workflows/build-windows.yaml b/.github/workflows/build-windows.yaml
@@ -27,6 +27,7 @@ on:
 jobs:
   build:
     name: Build on Windows
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: windows-2022-16core
 
     permissions:
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -32,7 +32,7 @@ permissions:
 jobs:
   check-reviews:
     name: Checking reviewers
-    if: ${{ !github.event.pull_request.draft }}
+    if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
       # Checkout main branch of shared-workflow repository.
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -18,6 +18,7 @@ on:
 
 jobs:
   fuzzing:
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     name: Fuzzing
     runs-on: ubuntu-22.04-32core
     permissions:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -17,6 +17,7 @@ on:
 jobs:
   analyze:
     name: Analyze
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-32core
     permissions:
       actions: read
diff --git a/.github/workflows/dependabot-batcher.yaml b/.github/workflows/dependabot-batcher.yaml
@@ -0,0 +1,27 @@
+# This workflow combines all open Dependabot PRs into a single batched
+# PR, links all the Dependabot PRs to the new one, and closes all the
+# Dependabot PRs. The schedule is set to exactly 12 hours after the
+# Dependabot schedule.
+#
+# All workflows that run on PR should be skipped for Dependabot PRs
+# to prevent wasting CI cycles.
+name: 'Dependabot Batcher'
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 21 * * 0' # At 9:00 PM every Sunday UTC
+
+permissions:
+    pull-requests: write
+    contents: write
+
+jobs:
+  dependabot-batcher:
+    name: 'Combine Dependabot PRs'
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Dependabot Batcher'
+        uses: Legal-and-General/dependabot-batcher@v1.0.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }} #required
+          baseBranchName: 'master'
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -5,6 +5,7 @@ on:
 
 jobs:
   dependency-review:
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     uses: gravitational/shared-workflows/.github/workflows/dependency-review.yaml@main
     permissions:
       contents: read
diff --git a/.github/workflows/doc-tests.yaml b/.github/workflows/doc-tests.yaml
@@ -10,6 +10,7 @@ on:
 jobs:
   doc-tests:
     name: Lint (Docs)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
 
     permissions:
diff --git a/.github/workflows/integration-tests-non-root.yaml b/.github/workflows/integration-tests-non-root.yaml
@@ -23,6 +23,7 @@ on:
 jobs:
   test:
     name: Integration Tests (Non-root)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:
diff --git a/.github/workflows/integration-tests-root.yaml b/.github/workflows/integration-tests-root.yaml
@@ -23,6 +23,7 @@ on:
 jobs:
   test:
     name: Integration Tests (Root)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:
diff --git a/.github/workflows/label.yaml b/.github/workflows/label.yaml
@@ -30,7 +30,7 @@ permissions:
 jobs:
   auto-label-pr:
     name: Label Pull Request
-    if: ${{ !github.event.pull_request.draft }}
+    if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
       # Checkout main branch of shared-workflow repository.
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -9,6 +9,7 @@ on:
 
 jobs:
   lint:
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     name: Lint (Go)
     runs-on: ubuntu-22.04-16core
 
diff --git a/.github/workflows/os-compatibility-test.yaml b/.github/workflows/os-compatibility-test.yaml
@@ -10,6 +10,7 @@ on:
 jobs:
   build:
     name: OS Compatibility Build
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:
diff --git a/.github/workflows/unit-tests-code.yaml b/.github/workflows/unit-tests-code.yaml
@@ -23,6 +23,7 @@ on:
 jobs:
   test:
     name: Unit Tests (Go)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-32core
 
     permissions:
diff --git a/.github/workflows/unit-tests-operator.yaml b/.github/workflows/unit-tests-operator.yaml
@@ -27,6 +27,7 @@ on:
 jobs:
   test:
     name: Unit Tests (Operator)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:
diff --git a/.github/workflows/unit-tests-rust.yaml b/.github/workflows/unit-tests-rust.yaml
@@ -23,6 +23,7 @@ on:
 jobs:
   test:
     name: Unit Tests (Rust)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
 
     permissions:
