From 54720bd79767f2ef704288ae0e86616c23e63ec7 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:24:02 +0100 Subject: [PATCH 1/7] ci: add semver filtering to Dependabot auto-merge (patch/minor only) --- .github/workflows/dependabot-auto-merge.yml | 32 +++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..26085a8 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,32 @@ +name: Dependabot Auto-Merge + +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Approve patch and minor updates + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Auto-merge patch and minor updates + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 7fa66317fdb3c0b4bed8d8cfba467ca9b4845dfb Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:28:13 +0100 Subject: [PATCH 2/7] ci: configure Dependabot version updates targeting develop --- .github/dependabot.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c673eaf --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +version: 2 +updates: + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + target-branch: "develop" + open-pull-requests-limit: 5 + groups: + minor-and-patch: + update-types: + - "minor" + - "patch" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + target-branch: "develop" From 3c7b92f2ce1891abd0bf2ff3dcdba4e5e1c09738 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:38:49 +0100 Subject: [PATCH 3/7] ci: add pull_request_target trigger for Dependabot CI compatibility --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e9f817d..83785e6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,8 @@ on: branches: [develop] pull_request: branches: [develop, main] + pull_request_target: + branches: [develop, main] workflow_dispatch: inputs: triggered-by: @@ -12,7 +14,8 @@ on: type: string jobs: build: + if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]' uses: fireflyframework/.github/.github/workflows/java-ci.yml@main with: java-version: '25' - + checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} From 8256a69c399b23dd740c463dc97263dd266729d6 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:52:36 +0100 Subject: [PATCH 4/7] ci: revert ci.yml to original triggers (pull_request_target moved to separate file) --- .github/workflows/ci.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 83785e6..3beaf0c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,8 +4,6 @@ on: branches: [develop] pull_request: branches: [develop, main] - pull_request_target: - branches: [develop, main] workflow_dispatch: inputs: triggered-by: @@ -14,8 +12,6 @@ on: type: string jobs: build: - if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]' uses: fireflyframework/.github/.github/workflows/java-ci.yml@main with: java-version: '25' - checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} From 1c663790b8dbf4aa02253f3b20e7e413c668e8eb Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:53:09 +0100 Subject: [PATCH 5/7] ci: add separate Dependabot CI workflow using pull_request_target --- .github/workflows/dependabot-ci.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/workflows/dependabot-ci.yml diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml new file mode 100644 index 0000000..9c3408a --- /dev/null +++ b/.github/workflows/dependabot-ci.yml @@ -0,0 +1,12 @@ +name: Dependabot CI +on: + pull_request_target: + branches: [develop, main] +jobs: + build: + if: github.actor == 'dependabot[bot]' + uses: fireflyframework/.github/.github/workflows/java-ci.yml@main + with: + java-version: '25' + checkout-ref: ${{ github.event.pull_request.head.sha }} + trigger-downstream: false From 5fd124c4718d470233e7778bb32b7baade2d8d8f Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 20:01:06 +0100 Subject: [PATCH 6/7] ci: inline Dependabot CI build (cross-repo reusable workflows unsupported for Dependabot) --- .github/workflows/dependabot-ci.yml | 80 +++++++++++++++++++++++++++-- 1 file changed, 75 insertions(+), 5 deletions(-) diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml index 9c3408a..25bfe12 100644 --- a/.github/workflows/dependabot-ci.yml +++ b/.github/workflows/dependabot-ci.yml @@ -2,11 +2,81 @@ name: Dependabot CI on: pull_request_target: branches: [develop, main] + +permissions: + contents: read + packages: read + statuses: write + jobs: build: + runs-on: ubuntu-latest if: github.actor == 'dependabot[bot]' - uses: fireflyframework/.github/.github/workflows/java-ci.yml@main - with: - java-version: '25' - checkout-ref: ${{ github.event.pull_request.head.sha }} - trigger-downstream: false + steps: + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Set up JDK 25 + uses: actions/setup-java@v4 + with: + java-version: '25' + distribution: temurin + cache: maven + + - name: Configure GitHub Packages + run: | + mkdir -p ~/.m2 + cat > ~/.m2/settings.xml << 'EOF' + + + + github + ${env.GITHUB_ACTOR} + ${env.GITHUB_TOKEN} + + + + + github-packages + + + github + https://maven.pkg.github.com/fireflyframework/fireflyframework-parent + true + true + + + + + + github-packages + + + EOF + + - name: Build with Maven + run: mvn -B verify + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Report build status + if: always() + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + if [ "${{ job.status }}" = "success" ]; then + STATE="success" + DESC="Dependabot build passed" + else + STATE="failure" + DESC="Dependabot build failed" + fi + gh api "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \ + -f state="$STATE" \ + -f context="build / build" \ + -f description="$DESC" \ + -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" From fe392b02360754bf79014640190d5da25d923740 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 20:33:25 +0100 Subject: [PATCH 7/7] ci: grant actions:write permission in caller for DAG orchestrator --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3beaf0c..6614de5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,5 +13,9 @@ on: jobs: build: uses: fireflyframework/.github/.github/workflows/java-ci.yml@main + permissions: + packages: read + contents: read + actions: write with: java-version: '25'