janhoy commented on code in PR #2880:
URL: https://github.com/apache/solr/pull/2880#discussion_r1850477067
##########
.github/workflows/gradle-precommit.yml:
##########
@@ -1,17 +1,80 @@
name: Gradle Precommit
-on:
+on:
pull_request:
branches:
- 'main'
- 'branch_*'
jobs:
+ # Dependabot job that runs only for dependabot PRs
+ # This job is writing locks, updates checksums, and commits the changes on
the dependabot PRs.
+ dependabot:
+ name: gradle check
+
+ runs-on: ubuntu-latest
+
+ # Run only on dependabot PRs (see dependabot-actions.yml)
+ if: github.actor == 'dependabot[bot]'
+
+ env:
+ DEVELOCITY_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
+
+ # Give the default GITHUB_TOKEN write permission to commit
+ # and push the changed files back to the repository.
+ permissions:
+ contents: write
+
+ steps:
+ - name: Checkout project
+ uses: actions/checkout@v4
+ with:
+ ref: ${{ github.head_ref }}
+
+ - name: Set up JDK
+ uses: actions/setup-java@v4
+ with:
+ distribution: 'temurin'
+ java-version: 21
+ java-package: jdk
+
+ - name: Setup Gradle
+ uses: gradle/actions/setup-gradle@v4
+
+ - name: Grant execute permission for gradlew
+ run: chmod +x gradlew
+
+ - name: Use Gradle cache
+ uses: actions/cache@v4
+ with:
+ path: |
+ ~/.gradle/caches
+ key: ${{ runner.os }}-gradle-precommit-${{
hashFiles('versions.lock') }}
+ restore-keys: |
+ ${{ runner.os }}-gradle-precommit-
+ ${{ runner.os }}-gradle-
+
+ - name: Write locks
+ run: ./gradlew writeLocks
+
+ - name: Update licenses / checksums
+ run: ./gradlew updateLicenses
+
+ - name: Commit and push changes
+ uses: stefanzweifel/git-auto-commit-action@v5.0.1
+ with:
+ commit_message: Write locks and update checksums
+ branch: ${{ github.head_ref }}
Review Comment:
The ASF has a policy that only committers shall commit to the main repo. But
they have made an explicit exception for Dependabot, since it is vetted and
trusted. I suppose our own PR workflows could since it is strictly to PR
branches only. But should we reconsider relying on a 3rd party action
`stefanzweifel` to perform the commit?
Alternatively, is there a way to limit the `permissions.content: write` to
only this PR branch? In the event of a supply-chain attach on the
`stefanzweife` action, we could be at risk. Do we need to check with Infra?
##########
.github/workflows/gradle-precommit.yml:
##########
@@ -1,17 +1,80 @@
name: Gradle Precommit
-on:
+on:
pull_request:
branches:
- 'main'
- 'branch_*'
jobs:
+ # Dependabot job that runs only for dependabot PRs
+ # This job is writing locks, updates checksums, and commits the changes on
the dependabot PRs.
+ dependabot:
+ name: gradle check
Review Comment:
Find a better name for the job?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
