Batch Dependabot PRs

Leverages https://github.com/Legal-and-General/dependabot-batcher
to create and/or maintain a merged PR (and branch) of all the
Dependabot PRs and close them as they are merged in, leaving a
single Dependabot PR behind.

The Dependabot schedule is set for Sunday at 9:00am and the batcher
workflow is configured to run Sunday at 9:00pm.

All workflows that run on pull requests open have been configured
to ignore branches prefixed with `dependabot/`. Since the dependabot PRs
are all going to be closed and batched there is no need to waste CI
minutes on them. Any new workflows will require the same check to
prevent running on dependabot PRs.

Also adds `cloud.google.com/go/iam` and `github.com/go-webauthn/webauthn`
to the dependabot ignore list because they pull in newer versions of
`cloud.google.com/go/firestore` and `golang.org/x/crypto` which we
cannot use at this time.

.github/dependabot.yml

@@ -4,6 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+      day: "sunday"
+      time: "09:00" # 9am UTC
     ignore:
       # Deprecated APIs, requires manual changes.
       # TODO(xacrimon): Update Firestore and solve deprecations.
@@ -29,6 +31,10 @@ updates:
       - dependency-name: github.com/vulcand/predicate
       # TODO(tross): Update after Firestore is updated
       - dependency-name: google.golang.org/genproto
+      # TODO(tross): Update after Firestore is updated
+      - dependency-name: cloud.google.com/go/iam
+      # TODO(tross): Update after /x/crypto is updated
+      - dependency-name: github.com/go-webauthn/webauthn
     open-pull-requests-limit: 10
     reviewers:
       - codingllama
@@ -39,6 +45,8 @@ updates:
     directory: "/api"
     schedule:
       interval: weekly
+      day: "sunday"
+      time: "09:00" # 9am UTC
     ignore:
       # TODO(codingllama): Allow /x/crypto updates after upstream patch.
       - dependency-name: golang.org/x/crypto
@@ -54,6 +62,8 @@ updates:
     directory: "/"
     schedule:
       interval: weekly
+      day: "sunday"
+      time: "09:00" # 9am UTC
     open-pull-requests-limit: 10
     reviewers:
       - codingllama

.github/workflows/assign.yaml

@@ -30,7 +30,7 @@ permissions:
 jobs:
   auto-request-review:
     name: Auto Request Review
-    if: ${{ !github.event.pull_request.draft }}
+    if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
       # Checkout main branch of shared-workflow repository.

.github/workflows/build-macos.yaml

@@ -19,6 +19,7 @@ on:
 jobs:
   build:
     name: Build on Mac OS
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: macos-12 # TODO(r0mant): Update with large runner when it's available
 
     permissions:

.github/workflows/build-windows.yaml

@@ -18,6 +18,7 @@ on:
 jobs:
   build:
     name: Build on Windows
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: windows-2022-16core
 
     permissions:

.github/workflows/check.yaml

@@ -32,7 +32,7 @@ permissions:
 jobs:
   check-reviews:
     name: Checking reviewers
-    if: ${{ !github.event.pull_request.draft }}
+    if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
       # Checkout main branch of shared-workflow repository.

.github/workflows/cifuzz.yml

@@ -18,6 +18,7 @@ on:
 
 jobs:
   fuzzing:
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     name: Fuzzing
     runs-on: ubuntu-22.04-32core
     permissions:

.github/workflows/codeql.yml

@@ -17,6 +17,7 @@ on:
 jobs:
   analyze:
     name: Analyze
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-32core
     permissions:
       actions: read

.github/workflows/dependabot-batcher.yaml

@@ -0,0 +1,27 @@
+# This workflow combines all open Dependabot PRs into a single batched
+# PR, links all the Dependabot PRs to the new one, and closes all the
+# Dependabot PRs. The schedule is set to exactly 12 hours after the
+# Dependabot schedule.
+#
+# All workflows that run on PR should be skipped for Dependabot PRs
+# to prevent wasting CI cycles.
+name: 'Dependabot Batcher'
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 21 * * 0' # At 9:00 PM every Sunday
+
+permissions:
+    pull-requests: write
+    contents: write
+
+jobs:
+  dependabot-batcher:
+    name: 'Combine Dependabot PRs'
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Dependabot Batcher'
+        uses: Legal-and-General/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }} #required
+          baseBranchName: 'master'

.github/workflows/dependency-review.yaml

@@ -5,6 +5,7 @@ on:
 
 jobs:
   dependency-review:
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     uses: gravitational/shared-workflows/.github/workflows/dependency-review.yaml@main
     permissions:
       contents: read

.github/workflows/doc-tests.yaml

@@ -9,6 +9,7 @@ on:
 jobs:
   doc-tests:
     name: Lint (Docs)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
 
     permissions:

.github/workflows/integration-tests-non-root.yaml

@@ -16,6 +16,7 @@ on:
 jobs:
   test:
     name: Integration Tests (Non-root)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:

.github/workflows/integration-tests-root.yaml

@@ -16,6 +16,7 @@ on:
 jobs:
   test:
     name: Integration Tests (Root)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:

.github/workflows/label.yaml

@@ -30,7 +30,7 @@ permissions:
 jobs:
   auto-label-pr:
     name: Label Pull Request
-    if: ${{ !github.event.pull_request.draft }}
+    if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
       # Checkout main branch of shared-workflow repository.

.github/workflows/lint.yaml

@@ -8,6 +8,7 @@ on:
 
 jobs:
   lint:
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     name: Lint (Go)
     runs-on: ubuntu-22.04-16core
 

.github/workflows/os-compatibility-test.yaml

@@ -9,6 +9,7 @@ on:
 jobs:
   build:
     name: OS Compatibility Build
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:

.github/workflows/unit-tests-code.yaml

@@ -16,6 +16,7 @@ on:
 jobs:
   test:
     name: Unit Tests (Go)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-32core
 
     permissions:

.github/workflows/unit-tests-operator.yaml

@@ -18,6 +18,7 @@ on:
 jobs:
   test:
     name: Unit Tests (Operator)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-22.04-16core
 
     permissions:

.github/workflows/unit-tests-rust.yaml

@@ -16,6 +16,7 @@ on:
 jobs:
   test:
     name: Unit Tests (Rust)
+    if: ${{ !startsWith(github.head_ref, 'dependabot/') }}
     runs-on: ubuntu-latest
 
     permissions: