From 5c2677d34f127856d9a57fbc2a472024f60cc9d4 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 18:52:32 +0100 Subject: [PATCH 1/8] ci: update Dependabot auto-merge workflow --- .github/workflows/dependabot-auto-merge.yml | 30 +++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..e96eda6 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,30 @@ +name: Dependabot Auto-Merge + +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Approve PR + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Auto-merge PR + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 687f2e823db70f78aca4390e48c56bf75ef5929b Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:23:37 +0100 Subject: [PATCH 2/8] ci: add semver filtering to Dependabot auto-merge (patch/minor only) --- .github/workflows/dependabot-auto-merge.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index e96eda6..26085a8 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -17,13 +17,15 @@ jobs: with: github-token: "${{ secrets.GITHUB_TOKEN }}" - - name: Approve PR + - name: Approve patch and minor updates + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' run: gh pr review --approve "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Auto-merge PR + - name: Auto-merge patch and minor updates + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} From cdd337fbfa9763b0c565cafd2d559b5173294bee Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:28:11 +0100 Subject: [PATCH 3/8] ci: configure Dependabot version updates targeting develop --- .github/dependabot.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c673eaf --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +version: 2 +updates: + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + target-branch: "develop" + open-pull-requests-limit: 5 + groups: + minor-and-patch: + update-types: + - "minor" + - "patch" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + target-branch: "develop" From dac2e0dd9c7760d3fd33885a6af38a9fb5060256 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:38:50 +0100 Subject: [PATCH 4/8] ci: add pull_request_target trigger for Dependabot CI compatibility --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e9f817d..83785e6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,8 @@ on: branches: [develop] pull_request: branches: [develop, main] + pull_request_target: + branches: [develop, main] workflow_dispatch: inputs: triggered-by: @@ -12,7 +14,8 @@ on: type: string jobs: build: + if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]' uses: fireflyframework/.github/.github/workflows/java-ci.yml@main with: java-version: '25' - + checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} From 08572ba492bddaf1e6f17c6a2f57080e5aae5e81 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:52:38 +0100 Subject: [PATCH 5/8] ci: revert ci.yml to original triggers (pull_request_target moved to separate file) --- .github/workflows/ci.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 83785e6..3beaf0c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,8 +4,6 @@ on: branches: [develop] pull_request: branches: [develop, main] - pull_request_target: - branches: [develop, main] workflow_dispatch: inputs: triggered-by: @@ -14,8 +12,6 @@ on: type: string jobs: build: - if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]' uses: fireflyframework/.github/.github/workflows/java-ci.yml@main with: java-version: '25' - checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} From fe0ce026b2c5c51ec5cc5b1d6d655bceb7542f32 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:53:11 +0100 Subject: [PATCH 6/8] ci: add separate Dependabot CI workflow using pull_request_target --- .github/workflows/dependabot-ci.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/workflows/dependabot-ci.yml diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml new file mode 100644 index 0000000..9c3408a --- /dev/null +++ b/.github/workflows/dependabot-ci.yml @@ -0,0 +1,12 @@ +name: Dependabot CI +on: + pull_request_target: + branches: [develop, main] +jobs: + build: + if: github.actor == 'dependabot[bot]' + uses: fireflyframework/.github/.github/workflows/java-ci.yml@main + with: + java-version: '25' + checkout-ref: ${{ github.event.pull_request.head.sha }} + trigger-downstream: false From cc54eca7c4ccc3776f2db2b517c0a5741c5392e8 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 20:01:08 +0100 Subject: [PATCH 7/8] ci: inline Dependabot CI build (cross-repo reusable workflows unsupported for Dependabot) --- .github/workflows/dependabot-ci.yml | 80 +++++++++++++++++++++++++++-- 1 file changed, 75 insertions(+), 5 deletions(-) diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml index 9c3408a..25bfe12 100644 --- a/.github/workflows/dependabot-ci.yml +++ b/.github/workflows/dependabot-ci.yml @@ -2,11 +2,81 @@ name: Dependabot CI on: pull_request_target: branches: [develop, main] + +permissions: + contents: read + packages: read + statuses: write + jobs: build: + runs-on: ubuntu-latest if: github.actor == 'dependabot[bot]' - uses: fireflyframework/.github/.github/workflows/java-ci.yml@main - with: - java-version: '25' - checkout-ref: ${{ github.event.pull_request.head.sha }} - trigger-downstream: false + steps: + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Set up JDK 25 + uses: actions/setup-java@v4 + with: + java-version: '25' + distribution: temurin + cache: maven + + - name: Configure GitHub Packages + run: | + mkdir -p ~/.m2 + cat > ~/.m2/settings.xml << 'EOF' + + + + github + ${env.GITHUB_ACTOR} + ${env.GITHUB_TOKEN} + + + + + github-packages + + + github + https://maven.pkg.github.com/fireflyframework/fireflyframework-parent + true + true + + + + + + github-packages + + + EOF + + - name: Build with Maven + run: mvn -B verify + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Report build status + if: always() + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + if [ "${{ job.status }}" = "success" ]; then + STATE="success" + DESC="Dependabot build passed" + else + STATE="failure" + DESC="Dependabot build failed" + fi + gh api "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \ + -f state="$STATE" \ + -f context="build / build" \ + -f description="$DESC" \ + -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" From e3699aabdfd36d7113e2a3a56fc585bef978ad3f Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 20:33:27 +0100 Subject: [PATCH 8/8] ci: grant actions:write permission in caller for DAG orchestrator --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3beaf0c..6614de5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,5 +13,9 @@ on: jobs: build: uses: fireflyframework/.github/.github/workflows/java-ci.yml@main + permissions: + packages: read + contents: read + actions: write with: java-version: '25'