diff --git a/.github/workflows/auto-pre-commit-merge.yml b/.github/workflows/auto-pre-commit-merge.yml index 3db2213..fd5bffd 100644 --- a/.github/workflows/auto-pre-commit-merge.yml +++ b/.github/workflows/auto-pre-commit-merge.yml @@ -32,87 +32,80 @@ jobs: steps: # Step 1: Verify that the PR was created by the pre-commit-ci bot # This is a security measure to ensure we only auto-merge bot PRs + # Identifier used to reference this step's outputs in later steps + # Compare the actor (PR creator) with the expected bot username + # Set output variable to true if it's the pre-commit bot + # Set output variable to false for any other user/bot - name: Check PR author - id: check_author # Identifier used to reference this step's outputs in later steps + id: check_author run: | - # Compare the actor (PR creator) with the expected bot username if [[ "${{ github.actor }}" == "pre-commit-ci[bot]" ]]; then - # Set output variable to true if it's the pre-commit bot echo "is_precommit_bot=true" >> $GITHUB_OUTPUT else - # Set output variable to false for any other user/bot echo "is_precommit_bot=false" >> $GITHUB_OUTPUT fi # Step 2: Clone the repository to analyze the changes # This step only runs if the previous step confirmed it's the pre-commit bot + # Use the main branch of the checkout action + # Fetch all history for all branches and tags (needed for git diff) - name: Checkout code if: steps.check_author.outputs.is_precommit_bot == 'true' - uses: actions/checkout@main # Use the main branch of the checkout action + uses: actions/checkout@main with: - fetch-depth: 0 # Fetch all history for all branches and tags (needed for git diff) + fetch-depth: 0 # Step 3: Verify that ONLY the .pre-commit-config.yaml file was modified # This is a critical safety check to prevent auto-merging unintended changes + # Get the list of files changed between the base branch and the PR head + # origin/${{ github.base_ref }} is the target branch (e.g., main) + # HEAD is the current PR branch + # Check if the ONLY changed file is .pre-commit-config.yaml + # If other files changed, don't auto-merge (requires manual review) - name: Check if only .pre-commit-config.yaml changed if: steps.check_author.outputs.is_precommit_bot == 'true' id: check_changes run: | - # Get the list of files changed between the base branch and the PR head - # origin/${{ github.base_ref }} is the target branch (e.g., main) - # HEAD is the current PR branch - changed_files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD) - echo "Changed files: $changed_files" # Log for debugging purposes - - # Check if the ONLY changed file is .pre-commit-config.yaml + changed_files=$(git diff --name-only origin/devel...HEAD) + echo "Changed files: $changed_files" if [[ "$changed_files" == ".pre-commit-config.yaml" ]]; then echo "only_precommit=true" >> $GITHUB_OUTPUT else - # If other files changed, don't auto-merge (requires manual review) echo "only_precommit=false" >> $GITHUB_OUTPUT fi # Step 4: Automatically approve the PR # Only runs if all previous checks passed (bot author + only pre-commit config changed) + # Third-party action for PR approval - name: Auto-approve PR if: steps.check_changes.outputs.only_precommit == 'true' - uses: hmarr/auto-approve-action@v4 # Third-party action for PR approval + uses: hmarr/auto-approve-action@v4 with: - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ secrets.BOT_PAT }} # Step 5: Add an informative comment to the PR # This provides transparency about what the workflow is doing + # Allows running custom JavaScript in the workflow - name: Add comment on PR if: steps.check_changes.outputs.only_precommit == 'true' - uses: actions/github-script@main # Allows running custom JavaScript in the workflow + uses: actions/github-script@v8 with: - github-token: ${{ secrets.BOT_PAT }} script: | - # Use the GitHub REST API to create a comment on the PR github.rest.issues.createComment({ - issue_number: context.issue.number, # PR number from the event context - owner: context.repo.owner, # Repository owner - repo: context.repo.repo, # Repository name - body: "Auto-approved pre-commit version update. Merging after checks pass." + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Auto-approved pre-commit version update. Merging after checks pass.' }) - # Step 6: Wait for all CI/CD checks to complete successfully - # This ensures we don't merge a PR that breaks tests or other quality checks - - name: Wait for all checks to pass - if: steps.check_changes.outputs.only_precommit == 'true' - uses: lewagon/wait-on-check-action@master - with: - ref: ${{ github.event.pull_request.head.sha }} # The commit SHA to check - repo-token: ${{ secrets.BOT_PAT }} - wait-interval: 20 # Check status every 20 seconds - allowed-conclusions: success # Only proceed if all checks succeed (not skipped/neutral) - - # Step 7: Automatically merge the PR + # Step 6: Automatically merge the PR # This is the final step, only executed after all checks pass + # Squash all commits into a single commit on merge - name: Auto-merge PR if: steps.check_changes.outputs.only_precommit == 'true' uses: pascalgn/automerge-action@main env: GITHUB_TOKEN: ${{ secrets.BOT_PAT }} - MERGE_METHOD: squash # Squash all commits into a single commit on merge + MERGE_LABELS: "automerge" + MERGE_METHOD: "squash" # Other options: merge (creates merge commit), rebase (rebases commits) diff --git a/.github/workflows/manual-pre-commit-merge.yml b/.github/workflows/manual-pre-commit-merge.yml index d02373d..843e2ee 100644 --- a/.github/workflows/manual-pre-commit-merge.yml +++ b/.github/workflows/manual-pre-commit-merge.yml @@ -32,88 +32,80 @@ jobs: steps: # Step 1: Verify that the PR was created by the pre-commit-ci bot # This is a security measure to ensure we only auto-merge bot PRs + # Identifier used to reference this step's outputs in later steps + # Compare the actor (PR creator) with the expected bot username + # Set output variable to true if it's the pre-commit bot + # Set output variable to false for any other user/bot - name: Check PR author - id: check_author # Identifier used to reference this step's outputs in later steps + id: check_author run: | - # Compare the actor (PR creator) with the expected bot username if [[ "${{ github.actor }}" == "uk-bolly" ]]; then - # Set output variable to true if it's the pre-commit bot echo "is_precommit_bot=true" >> $GITHUB_OUTPUT else - # Set output variable to false for any other user/bot echo "is_precommit_bot=false" >> $GITHUB_OUTPUT fi # Step 2: Clone the repository to analyze the changes # This step only runs if the previous step confirmed it's the pre-commit bot + # Use the main branch of the checkout action + # Fetch all history for all branches and tags (needed for git diff) - name: Checkout code if: steps.check_author.outputs.is_precommit_bot == 'true' - uses: actions/checkout@main # Use the main branch of the checkout action + uses: actions/checkout@main with: - fetch-depth: 0 # Fetch all history for all branches and tags (needed for git diff) + fetch-depth: 0 # Step 3: Verify that ONLY the .pre-commit-config.yaml file was modified # This is a critical safety check to prevent auto-merging unintended changes + # Get the list of files changed between the base branch and the PR head + # origin/${{ github.base_ref }} is the target branch (e.g., main) + # HEAD is the current PR branch + # Check if the ONLY changed file is .pre-commit-config.yaml + # If other files changed, don't auto-merge (requires manual review) - name: Check if only .pre-commit-config.yaml changed if: steps.check_author.outputs.is_precommit_bot == 'true' id: check_changes run: | - # Get the list of files changed between the base branch and the PR head - # origin/${{ github.base_ref }} is the target branch (e.g., main) - # HEAD is the current PR branch - changed_files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD) - echo "Changed files: $changed_files" # Log for debugging purposes - - # Check if the ONLY changed file is .pre-commit-config.yaml + changed_files=$(git diff --name-only origin/devel...HEAD) + echo "Changed files: $changed_files" if [[ "$changed_files" == ".pre-commit-config.yaml" ]]; then echo "only_precommit=true" >> $GITHUB_OUTPUT else - # If other files changed, don't auto-merge (requires manual review) echo "only_precommit=false" >> $GITHUB_OUTPUT fi # Step 4: Automatically approve the PR # Only runs if all previous checks passed (bot author + only pre-commit config changed) + # Third-party action for PR approval - name: Auto-approve PR if: steps.check_changes.outputs.only_precommit == 'true' - uses: hmarr/auto-approve-action@v4 # Third-party action for PR approval + uses: hmarr/auto-approve-action@v4 with: github-token: ${{ secrets.BOT_PAT }} # Step 5: Add an informative comment to the PR # This provides transparency about what the workflow is doing + # Allows running custom JavaScript in the workflow - name: Add comment on PR if: steps.check_changes.outputs.only_precommit == 'true' - uses: actions/github-script@main # Allows running custom JavaScript in the workflow + uses: actions/github-script@v8 with: - github-token: ${{ secrets.GITHUB_TOKEN }} script: | - # Use the GitHub REST API to create a comment on the PR github.rest.issues.createComment({ - issue_number: context.issue.number, # PR number from the event context - owner: context.repo.owner, # Repository owner - repo: context.repo.repo, # Repository name - body: "Auto-approved pre-commit version update. Merging after checks pass." + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: 'Auto-approved pre-commit version update. Merging after checks pass.' }) - # Step 6: Wait for all CI/CD checks to complete successfully - # This ensures we don't merge a PR that breaks tests or other quality checks - - name: Wait for all checks to pass - if: steps.check_changes.outputs.only_precommit == 'true' - uses: lewagon/wait-on-check-action@master - with: - ref: ${{ github.event.pull_request.head.sha }} # The commit SHA to check - repo-token: ${{ secrets.BOT_PAT }} - wait-interval: 20 # Check status every 20 seconds - allowed-conclusions: success # Only proceed if all checks succeed (not skipped/neutral) - - # Step 7: Automatically merge the PR + # Step 6: Automatically merge the PR # This is the final step, only executed after all checks pass + # Squash all commits into a single commit on merge - name: Auto-merge PR if: steps.check_changes.outputs.only_precommit == 'true' uses: pascalgn/automerge-action@main env: - GITHUB_TOKEN: ${{ secrets.BOT_PAT }} - MERGE_METHOD: squash # Squash all commits into a single commit on merge + MERGE_LABELS: "automerge" + MERGE_METHOD: "squash" # Other options: merge (creates merge commit), rebase (rebases commits) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 255180a..b27ea93 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.12.1 + rev: v26.3.0 hooks: - id: ansible-lint name: Ansible-lint @@ -65,7 +65,7 @@ repos: # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.37.1 # or higher tag + rev: v1.38.0 # or higher tag hooks: - id: yamllint name: Check YAML Lint