devops: Add ci warning for swizzled docusaurus components

[jNullj]

Add new action and workflow that runs on new dependabot PR.
The action checks changes in components of docusaurus-theme-openapi that are swizzled and warns maintainers to review those changes.
For more info see #9287

Solves #9287

[socket-security]

New dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
@actions/github	5.1.1	environment	+3	316 kB	thboop
@actions/core	1.10.0	filesystem, environment	+2	211 kB	thboop

[github-actions]

	Messages
📖	✨ Thanks for your contribution to Shields, @jNullj!

Generated by 🚫 dangerJS against 6f867f7

[chris48s]

Thanks for working on this. This looks like it will be really useful.

I've had a read over the code and left you a first pass of comments. I've not actually run the code yet though. JS actions are very powerful, but one of the big issues is that it is quite hard to just check code like this out and run it locally to make sure it works.

How have you been testing this? Did you do it all in a test repo, or were you able to run bits of the code locally?

[chris48s]

I don't think we need to pull in node-fetch as a dependency and request these URLs. We've got an OctoKit instance in scope, so I think we should be able to use:

octokit.rest.repos.getContent({
  owner,
  repo,
  path,
  ref?,
});

to replace both these calls.

[jNullj]

I am new to octokit, I will look into this and add this if applicable

[jNullj]

solved with db2e03c
notice that files are > 1MB therefor an getContent won't return content (tried even with raw)
I had to use the sha and make a new blob request.

[chris48s]

In general, it is harder to read large blocks of code that are deeply nested.

We can often work round nesting by taking some code like

if (condition) {
  // do stuff
}

and re-writing it as

if (!condition) {
  return
}

// do stuff

I think we could make this whole run function easier to read by getting rid of a couple of layers of nesting here. For example:

if (!['dependabot[bot]', 'dependabot-preview[bot]'].includes(pr.user.login)) {
  return
}

const file = files.filter(f => f.filename === 'package-lock.json')[0]
if (file === undefined) {
   return
}

// do something with file

This would also make it clearer that we are not expecting to process more than one package-lock.json.

[jNullj]

I improved code readability with 81f020f
then fixed a type with 9e1c2e4

[chris48s]

Minor points, but:

1. If we have a look at your screenshot, we can see the table looks wierd because not all of the table rows have the same number of columns. Making these headers will fix that.

2. We're using <th> for every cell in this table, but <th> is only for headers. The "normal" cells should be <td>s.

[jNullj]

Updating this, not sure what you mean at 1, but i used colspan="2" to fix the visual issue.

[jNullj]

After testing

[chris48s]

If we are adding a package.json with dependencies here, we should register it with dependabot, like this:

shields/.github/dependabot.yml

Lines 33 to 41 in e9b3b50

	# close-bot package dependencies
	- package-ecosystem: npm
	directory: '/.github/actions/close-bot'
	schedule:
	interval: weekly
	day: friday
	time: '12:00'
	open-pull-requests-limit: 99
	rebase-strategy: disabled

[jNullj]

Solved with c77af69

[jNullj]

Thanks for working on this. This looks like it will be really useful.

I've had a read over the code and left you a first pass of comments. I've not actually run the code yet though. JS actions are very powerful, but one of the big issues is that it is quite hard to just check code like this out and run it locally to make sure it works.

How have you been testing this? Did you do it all in a test repo, or were you able to run bits of the code locally?

Thank you for the code review and the useful insights.

Regarding testing - I used a forked repo on github for testing, I think I might be able to run it locally if i look for some testing tools or try to simulate github with a crafted payload.

[chris48s]

OK. Latest changes look great - thanks. I've done a bit of testing on this in another repo. I found it a bit tricky to test this, but my experience is that when it comes to these GitHub actions, there is a large extent to which we can "set it and forget it". We don't tend to be constantly changing them. So I'm not too worried about this being a bit of a pain to test.

I've left a few final comments inline, but this is 99% done.

[chris48s]

Can we make these log statements use core.info() instead of core.debug() so they always get logged.

[jNullj]

Sure. This would be easier to understand.
Added with 78551ff

[chris48s]

It would be useful here if we could write a log message here (again, core.info()) with oldVersion and newVersion.

[jNullj]

Added with 5311d03

[chris48s]

This workflow doesn't actually need to run on pull_request_target. It can just run on pull_request. I'm aware this is a copy & paste from close-bot, which probably could have also just used pull_request.

[jNullj]

Oh yea, my bad, didn't notice this when I started with close-bot as a ref for the file.
Fixed with 640567d

[chris48s]

Sweeeet. Thanks for working on this one

[calebcartwright]

Nicely done @jNullj!