mapfish · sbrunner · Jan 25, 2024 · Jan 25, 2024 · Jan 25, 2024
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -27,13 +27,6 @@
       matchStrings: ['toolVersion = "(?<currentValue>.*)" // (?<depName>.*)'],
       datasourceTemplate: 'maven',
     },
-    /** Do update on packages update (trigger a rebuild) */
-    {
-      fileMatch: ['^ci/dpkg\\-versions\\.yaml$'],
-      matchStrings: [" *(?<depName>[^'\\s]+): '?(?<currentValue>[^'\\s/]*[0-9][^'\\s/]*)'?"],
-      datasourceTemplate: 'repology',
-      versioningTemplate: 'loose',
-    },
     /** Do update on the schema present in the ci/config.yaml */
     {
       fileMatch: ['^ci/config\\.yaml$'],
@@ -154,13 +147,13 @@
       matchPackageNames: ['shellcheck-py/shellcheck-py'],
       versioning: 'regex:^v(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)$',
     },
-    /** Update dpkg versions at any time */
+    /** Group and auto merge the CI dependencies */
     {
-      matchBaseBranches: ['/^[0-9]+\\.[0-9]+$/'],
-      matchPaths: ['^ci/dpkg\\-versions\\.yaml$'],
-      schedule: ['at any time'],
-      groupName: 'dpkg',
+      matchFileNames: ['.github/**', '.pre-commit-config.yaml', 'ci/**'],
+      groupName: 'CI dependencies',
       automerge: true,
+      separateMajorMinor: false,
+      separateMinorPatch: false,
     },
   ],
 }
diff --git a/.github/workflows/audit.yaml b/.github/workflows/audit.yaml
@@ -6,8 +6,8 @@ on:
 
 jobs:
   audit:
-    runs-on: ubuntu-22.04
     name: Audit
+    runs-on: ubuntu-22.04
     timeout-minutes: 20
 
     strategy:
@@ -34,7 +34,17 @@ jobs:
       - run: ~/.venv/bin/pip install --pre c2cciutils[audit]
       - run: python3 -m pip install --pre c2cciutils[audit]
 
-      - name: Audit
+      - name: Snyk audit
         run: ~/.venv/bin/c2cciutils-audit --branch=${{ matrix.branch }}
         env:
           GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
+      - name: Check ci/dpkg-versions.yaml file existence
+        id: dpkg-versions
+        uses: andstor/file-existence-action@v2
+        with:
+          files: ci/dpkg-versions.yaml
+      - name: Update dpkg packages versions
+        run: ~/.venv/bin/c2cciutils-docker-versions-update --branch=${{ matrix.branch }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
+        if: steps.dpkg-versions.outputs.files_exists == 'true'
diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml
@@ -11,8 +11,8 @@ env:
 
 jobs:
   backport:
-    runs-on: ubuntu-22.04
     name: Backport
+    runs-on: ubuntu-22.04
     timeout-minutes: 5
 
     steps:

diff --git a/.github/workflows/clean.yaml b/.github/workflows/clean.yaml
@@ -8,8 +8,8 @@ on:
 
 jobs:
   clean:
-    runs-on: ubuntu-22.04
     name: Clean docker hub tags
+    runs-on: ubuntu-22.04
     timeout-minutes: 5
 
     steps:

diff --git a/.github/workflows/delete-old-workflows-run.yaml b/.github/workflows/delete-old-workflows-run.yaml
@@ -9,9 +9,9 @@ env:
 
 jobs:
   build:
+    name: Delete old workflow runs
     runs-on: ubuntu-22.04
     timeout-minutes: 25
-    name: Delete old workflow runs
 
     steps:
       - name: Delete old workflow runs
@@ -20,4 +20,4 @@ jobs:
           repository: ${{ github.repository }}
           older-than-seconds: 43200000 # 500 days
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GOPASS_CI_GITHUB_TOKEN }}
diff --git a/.github/workflows/dependency-auto-review.yaml b/.github/workflows/dependency-auto-review.yaml
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -19,9 +19,9 @@ env:
 
 jobs:
   main:
+    name: Continuous integration
     runs-on: ubuntu-22.04
     timeout-minutes: 30
-    name: Continuous integration
     if: "!startsWith(github.event.head_commit.message, '[skip ci] ')"
 
     steps:
@@ -101,9 +101,8 @@ jobs:
           if-no-files-found: ignore
         if: always()
 
-      - run: make tests
-        # Tntented to fail earlier than the standard 30min for workflow failure
-        timeout-minutes: 10
+      - timeout-minutes: 10
+        run: make tests
 
       - uses: actions/upload-artifact@v4
         with:
@@ -148,63 +147,63 @@ jobs:
       - name: Create Release
         id: create_release
         uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           tag_name: ${{ github.ref }}
           release_name: ${{ steps.tag.outputs.tag }}
           draft: false
           prerelease: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: startsWith(github.ref, 'refs/tags/') && env.HAS_SECRETS == 'HAS_SECRETS'
       - name: Upload Release Asset
         uses: actions/upload-release-asset@v1.0.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./core/build/libs/print-servlet-${{ steps.version.outputs.version }}.war
           asset_name: print-servlet-${{ steps.version.outputs.version }}.war
           asset_content_type: application/java-archive
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: startsWith(github.ref, 'refs/tags/') && env.HAS_SECRETS == 'HAS_SECRETS'
       - name: Upload Release Asset
         uses: actions/upload-release-asset@v1.0.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./core/build/distributions/core-${{ steps.version.outputs.version }}.zip
           asset_name: print-cli-${{ steps.version.outputs.version }}.zip
           asset_content_type: application/zip
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: startsWith(github.ref, 'refs/tags/') && env.HAS_SECRETS == 'HAS_SECRETS'
       - name: Upload Release Asset
         uses: actions/upload-release-asset@v1.0.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./core/build/libs/print-lib-${{ steps.version.outputs.version }}.jar
           asset_name: print-lib-${{ steps.version.outputs.version }}.jar
           asset_content_type: application/java-archive
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: startsWith(github.ref, 'refs/tags/') && env.HAS_SECRETS == 'HAS_SECRETS'
       - name: Upload Release Asset
         uses: actions/upload-release-asset@v1.0.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./core/build/libs/print-lib-${{ steps.version.outputs.version }}-sources.jar
           asset_name: print-lib-${{ steps.version.outputs.version }}-sources.jar
           asset_content_type: application/java-archive
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: startsWith(github.ref, 'refs/tags/') && env.HAS_SECRETS == 'HAS_SECRETS'
       - name: Upload Release Asset
         uses: actions/upload-release-asset@v1.0.2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./core/build/libs/print-lib-${{ steps.version.outputs.version }}-javadoc.jar
           asset_name: print-lib-${{ steps.version.outputs.version }}-javadoc.jar
           asset_content_type: application/java-archive
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: startsWith(github.ref, 'refs/tags/') && env.HAS_SECRETS == 'HAS_SECRETS'
 
         # Update the documentation
@@ -238,8 +237,8 @@ jobs:
             if (process.env.GITHUB_REF_TYPE == 'tag') {
                 console.log('Trigger changelog');
                 await github.rest.repos.createDispatchEvent({
-                    owner: 'camptocamp',
-                    repo: 'helm-mutualize',
+                    owner: 'mapfish',
+                    repo: 'mapfish-print',
                     event_type: 'changelog',
                 });
             }
diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
@@ -5,8 +5,6 @@ on:
     types:
       - opened
       - reopened
-      - labeled
-      - unlabeled
       - edited
       - synchronize
 
@@ -15,6 +13,7 @@ jobs:
     name: Pull request check
     runs-on: ubuntu-22.04
     timeout-minutes: 5
+    if: github.event.pull_request.user.login != 'renovate[bot]'
 
     steps:
       - run: pip install --upgrade attrs

diff --git a/.github/workflows/pull-request-automation.yaml b/.github/workflows/pull-request-automation.yaml
@@ -0,0 +1,139 @@
+name: Auto reviews, merge and close pull requests
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - closed
+  pull_request_target:
+    types:
+      - closed
+
+jobs:
+  auto-merge:
+    name: Auto reviews, merge and close pull requests
+    runs-on: ubuntu-22.04
+    timeout-minutes: 5
+
+    steps:
+      - name: Print event
+        run: echo "${GITHUB}" | jq
+        env:
+          GITHUB: ${{ toJson(github) }}
+      - name: Print context
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            console.log(context);
+      - name: Auto reviews Renovate updates
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+              event: 'APPROVE',
+            })
+        if: |-
+          github.event.pull_request.user.login == 'renovate[bot]'
+          && (github.event.action == 'opened'
+            || github.event.action == 'reopened')
+      - name: Auto review and merge dpkg updates
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+              event: 'APPROVE',
+            });
+            github.graphql(`
+              mutation {
+                enablePullRequestAutoMerge(input: {
+                  pullRequestId: "${context.payload.pull_request.node_id}",
+                  mergeMethod: SQUASH,
+                }) {
+                  pullRequest {
+                    autoMergeRequest {
+                      enabledAt
+                    }
+                  }
+                }
+              }
+            `)
+        if: |-
+          github.event.pull_request.user.login == 'c2c-bot-gis-ci'
+          && startsWith(github.head_ref, 'dpkg-update/')
+          && (github.event.action == 'opened'
+            || github.event.action == 'reopened')
+      - name: Auto review and merge snyk auto fix
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+              event: 'APPROVE',
+            });
+            github.graphql(`
+              mutation {
+                enablePullRequestAutoMerge(input: {
+                  pullRequestId: "${context.payload.pull_request.node_id}",
+                  mergeMethod: SQUASH,
+                }) {
+                  pullRequest {
+                    autoMergeRequest {
+                      enabledAt
+                    }
+                  }
+                }
+              }
+            `)
+        if: |-
+          github.event.pull_request.user.login == 'c2c-bot-gis-ci'
+          && startsWith(github.head_ref, 'snyk-fix/')
+          && (github.event.action == 'opened'
+            || github.event.action == 'reopened')
+      - name: Restart audit workflow
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            let runs = await github.rest.actions.listWorkflowRuns({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'audit.yaml',
+              per_page: 1,
+            });
+            runs = runs.data.workflow_runs;
+            if (runs.length == 1 && runs[0].status != 'success') {
+              console.log(`Rerun workflow ${runs[0].id} ${runs[0].status}`);
+              github.rest.actions.reRunWorkflowFailedJobs({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                run_id: runs[0].id,
+              });
+            }
+        if: |-
+          github.event.pull_request.user.login == 'c2c-bot-gis-ci'
+          && (startsWith(github.head_ref, 'snyk-fix/')
+            || startsWith(github.head_ref, 'dpkg-update/'))
+          && github.event.action == 'closed'
+          && github.event.pull_request.merged == true
+      - name: Auto close pre-commit.ci autoupdate
+        uses: actions/github-script@v7
+        with:
+          script: |-
+            github.rest.pulls.update({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number,
+              state: 'closed',
+            });
+        if: |-
+          github.event.pull_request.user.login == 'pre-commit-ci'
+          && (github.event.action == 'opened'
+            || github.event.action == 'reopened')