This is an automated email from the ASF dual-hosted git repository.
ppkarwasz pushed a commit to branch 2.x
in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
The following commit(s) were added to refs/heads/2.x by this push:
new c6d8dcc358 Generate changelog for Dependabot PRs (#4112)
c6d8dcc358 is described below
commit c6d8dcc358c5794e79230c401e8a31194c119bb5
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Sat May 2 23:52:02 2026 +0200
Generate changelog for Dependabot PRs (#4112)
Wire up the reusable workflows from apache/logging-parent#419 to:
- Generate changelog entries for Dependabot PRs.
- Re-run build checks on the newly created commit.
- Enable auto-merge, which only merges once required checks pass and a
maintainer approves.
Together, these allow merging Dependabot PRs in a single click.
Also add a concurrency setting to `build.yaml` and `codeql-analysis.yaml`
so superseded PR commits stop consuming runners.
---
...odeql-analysis.yaml => analyze-dependabot.yaml} | 31 ++++++-------
.github/workflows/build.yaml | 5 +++
.github/workflows/codeql-analysis.yaml | 5 +++
.github/workflows/process-dependabot.yaml | 51 ++++++++++++++++++++++
4 files changed, 74 insertions(+), 18 deletions(-)
diff --git a/.github/workflows/codeql-analysis.yaml
b/.github/workflows/analyze-dependabot.yaml
similarity index 57%
copy from .github/workflows/codeql-analysis.yaml
copy to .github/workflows/analyze-dependabot.yaml
index 7aaf9ac660..cd991d3637 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/analyze-dependabot.yaml
@@ -15,28 +15,23 @@
# limitations under the License.
#
-name: codeql-analysis
+name: "Dependabot Analyze PR"
on:
- push:
- branches: [ "2.x", "main" ]
pull_request:
- branches: [ "2.x", "main" ]
- schedule:
- - cron: '32 12 * * 5'
-permissions: read-all
+# Default permissions for each job.
+# Additional permissions should be assigned on a per-job basis.
+permissions: { }
jobs:
- analyze:
- uses:
apache/logging-parent/.github/workflows/codeql-analysis-reusable.yaml@gha/v0
- with:
- java-version: |
- 8
- 17
- # Permissions required to publish Security Alerts
- permissions:
- actions: read
- contents: read
- security-events: write
+ analyze-dependabot:
+ # `github.actor` prevents recursive calls when `github-actions[bot]`
pushes to the PR;
+ # `github.event.pull_request.user.login` skips PRs not opened by
Dependabot.
+ if: ${{
+ github.repository == 'apache/logging-log4j2'
+ && github.actor == 'dependabot[bot]'
+ && github.event.pull_request.user.login == 'dependabot[bot]'
+ }}
+ uses:
apache/logging-parent/.github/workflows/analyze-dependabot-reusable.yaml@gha/v0
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 959923248e..5d57675bbe 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -25,6 +25,11 @@ on:
- "release/2*"
pull_request:
+# Cancel in-progress runs when a newer commit lands on the same PR; pushes to
2.x run to completion.
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
permissions: read-all
jobs:
diff --git a/.github/workflows/codeql-analysis.yaml
b/.github/workflows/codeql-analysis.yaml
index 7aaf9ac660..139b2c782c 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -25,6 +25,11 @@ on:
schedule:
- cron: '32 12 * * 5'
+# Cancel in-progress runs when a newer commit lands on the same PR; pushes to
2.x run to completion.
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
permissions: read-all
jobs:
diff --git a/.github/workflows/process-dependabot.yaml
b/.github/workflows/process-dependabot.yaml
new file mode 100644
index 0000000000..0688b148d3
--- /dev/null
+++ b/.github/workflows/process-dependabot.yaml
@@ -0,0 +1,51 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+name: "Dependabot Process PR"
+
+on:
+ workflow_run:
+ workflows:
+ - "Dependabot Analyze PR"
+ types:
+ - completed
+
+# Default permissions for each job.
+# Additional permissions should be assigned on a per-job basis.
+permissions: { }
+
+jobs:
+
+ process-dependabot:
+ # Skip this workflow on commits not pushed by Dependabot
+ if: ${{
+ github.repository == 'apache/logging-log4j2'
+ && github.actor == 'dependabot[bot]'
+ && github.event.workflow_run.conclusion == 'success'
+ }}
+ uses:
apache/logging-parent/.github/workflows/process-dependabot-reusable.yaml@gha/v0
+ permissions:
+ # The default GITHUB_TOKEN will be used to enable the "auto-merge" on
the PR
+ # This requires the following two permissions:
+ contents: write
+ pull-requests: write
+ secrets:
+ # This token will be used to push new content to the repo and trigger
workflows again
+ RECURSIVE_TOKEN: ${{ secrets.DEPENDABOT_TOKEN }}
+ with:
+ # The path to the changelog directory for the current development branch.
+ changelog-path: src/changelog/.2.x.x
