dep bumps

Author: ShocOne

.github/workflows/auto-merge-dependabot.yml

@@ -1,171 +1,25 @@
-name: auto-merge dependabot updates
+name: Auto-Merge Dependabot
 
 on:
-  pull_request_target:
-    branches: [ main ]
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - ready_for_review
-
-permissions:
-  pull-requests: write
-  contents: write
+  pull_request:
 
 jobs:
-  dependabot-merge:
+  auto-merge:
+    name: '🤖 Auto-Merge Dependabot'
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
-
+    if: github.actor == 'dependabot[bot]'
     steps:
-      - name: Dependabot metadata
-        id: metadata
-        uses: dependabot/fetch-metadata@v2.2.0
-        with:
-          github-token: "${{ secrets.DEPENDABOT_PAT }}"  # Using PAT for enhanced features, alert-lookup, and compat-lookup
-          alert-lookup: true    # Enable security alert information
-          compat-lookup: true   # Enable compatibility score checking
-
-      - name: Check security and compatibility
-        id: security_check
-        run: |
-          DEPS_JSON='${{ steps.metadata.outputs.updated-dependencies-json }}'
-          
-          # Perform checks
-          if [ "${{ steps.metadata.outputs.alert-state }}" = "OPEN" ]; then
-            echo "⚠️ Security alert detected (GHSA: ${{ steps.metadata.outputs.ghsa-id }})"
-            echo "CVSS Score: ${{ steps.metadata.outputs.cvss }}"
-            echo "is_security_update=true" >> $GITHUB_OUTPUT
-          else
-            echo "is_security_update=false" >> $GITHUB_OUTPUT
-          fi
-          
-          if [ "${{ steps.metadata.outputs.compatibility-score }}" -lt 75 ]; then
-            echo "⚠️ Low compatibility score: ${{ steps.metadata.outputs.compatibility-score }}"
-            echo "is_compatible=false" >> $GITHUB_OUTPUT
-          else
-            echo "is_compatible=true" >> $GITHUB_OUTPUT
-          fi
-          
-          if [ "${{ steps.metadata.outputs.maintainer-changes }}" = "true" ]; then
-            echo "⚠️ Maintainer changes detected"
-            echo "has_maintainer_changes=true" >> $GITHUB_OUTPUT
-          else
-            echo "has_maintainer_changes=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }}
 
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }}
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2.11.0
         with:
-          go-version: 'stable'
+          egress-policy: audit
 
-      - name: Process Go dependencies
-        if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }}
-        run: |
-          log_update_details() {
-            local pr_number=$1
-            echo "::group::Dependency Update Details for PR #$pr_number"
-            echo "🔄 Dependencies: ${{ steps.metadata.outputs.dependency-names }}"
-            echo "📦 Type: ${{ steps.metadata.outputs.dependency-type }}"
-            echo "📈 Version: ${{ steps.metadata.outputs.previous-version }} → ${{ steps.metadata.outputs.new-version }}"
-            echo "📂 Directory: ${{ steps.metadata.outputs.directory }}"
-            [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ] && \
-              echo "🚨 Security update (CVSS: ${{ steps.metadata.outputs.cvss }})"
-            echo "::endgroup::"
-          }
-
-          echo "🔍 Fetching all Go-related Dependabot PRs..."
-          GO_PRS=$(gh pr list \
-            --author "dependabot[bot]" \
-            --json number,title,createdAt,headRefName \
-            --state open \
-            --jq 'sort_by(.createdAt) | .[] | select(.title | contains("go.mod"))')
-
-          CURRENT_PR_PROCESSED=false
+      - uses: actions/checkout@v4.2.2
+        with:
+          fetch-depth: 0
 
-          echo "$GO_PRS" | while read -r pr; do
-            PR_NUMBER=$(echo "$pr" | jq -r .number)
-            HEAD_BRANCH=$(echo "$pr" | jq -r .headRefName)
-            
-            log_update_details $PR_NUMBER
-            
-            # Skip indirect dependencies unless they're security updates
-            if [ "${{ steps.metadata.outputs.dependency-type }}" = "indirect" ] && \
-               [ "${{ steps.security_check.outputs.is_security_update }}" != "true" ]; then
-              echo "⏭️ Skipping indirect dependency update"
-              continue
-            fi
-
-            # Special handling for security updates
-            if [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ]; then
-              echo "🚨 Processing security update with priority"
-              PRIORITY_MERGE=true
-            fi
-
-            git fetch origin $HEAD_BRANCH
-            git checkout $HEAD_BRANCH
-            git pull origin $HEAD_BRANCH
-            
-            echo "🛠️ Running go mod tidy for PR #$PR_NUMBER"
-            go mod tidy
-            
-            if git diff --quiet; then
-              echo "✨ No changes required for PR #$PR_NUMBER"
-            else
-              echo "💾 Committing changes for PR #$PR_NUMBER"
-              git config --global user.name "GitHub Actions"
-              git config --global user.email "actions@github.com"
-              git commit -am "chore: go mod tidy for PR #$PR_NUMBER"
-              git push origin $HEAD_BRANCH
-            fi
-            
-            # Auto-merge decision logic
-            if [ "$PR_NUMBER" = "$CURRENT_PR_NUMBER" ]; then
-              CURRENT_PR_PROCESSED=true
-              if { [ "$UPDATE_TYPE" != "version-update:semver-major" ] || \
-                  [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ]; } && \
-                  [ "${{ steps.security_check.outputs.is_compatible }}" = "true" ] && \
-                  [ "${{ steps.security_check.outputs.has_maintainer_changes }}" = "false" ]; then
-                echo "🤖 Enabling auto-merge for current PR #$PR_NUMBER"
-                gh pr merge --auto --merge "$PR_URL"
-              fi
-            elif [ "$CURRENT_PR_PROCESSED" = false ]; then
-              echo "🔄 Processing older PR #$PR_NUMBER first"
-              gh pr merge --auto --merge "$PR_NUMBER"
-            fi
-          done
-        env:
-          GITHUB_TOKEN: ${{ secrets.DEPENDABOT_PAT }}
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          CURRENT_PR_NUMBER: ${{ github.event.pull_request.number }}
-          UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}
-
-      # Handle other dependencies with security awareness
-      - name: Enable auto-merge for pipeline dependencies
-        if: |
-          steps.security_check.outputs.is_compatible == 'true' &&
-          steps.security_check.outputs.has_maintainer_changes == 'false' &&
-          (steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.security_check.outputs.is_security_update == 'true') && 
-          contains(steps.metadata.outputs.directory, '.github/workflows')
-        run: gh pr merge --auto --merge "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.DEPENDABOT_PAT}}
-
-      - name: Enable auto-merge for other dependencies
-        if: |
-          steps.security_check.outputs.is_compatible == 'true' &&
-          steps.security_check.outputs.has_maintainer_changes == 'false' &&
-          (steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.security_check.outputs.is_security_update == 'true') && 
-          steps.metadata.outputs.package-ecosystem != 'gomod' &&
-          !contains(steps.metadata.outputs.directory, '.github/workflows')
-        run: gh pr merge --auto --merge "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.DEPENDABOT_PAT}}
+      - uses: ahmadnassri/action-dependabot-auto-merge@v2.6.6
+        with:
+          target: minor
+          github-token: ${{ secrets.DEPENDABOT_PAT }}

.github/workflows/dependancy-review.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
 
       - name: Harden Runner
-        uses: step-security/harden-runner@v2.10.3
+        uses: step-security/harden-runner@v2.11.0
         with:
           egress-policy: audit
 

.github/workflows/linter.yml

@@ -17,7 +17,7 @@ jobs:
     timeout-minutes: 25
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2.10.3
+        uses: step-security/harden-runner@v2.11.0
         with:
           egress-policy: audit
 
@@ -27,7 +27,7 @@ jobs:
           fetch-depth: 0
 
       - name: Lint Code Base with Super-Linter
-        uses: super-linter/super-linter@v7.2.1
+        uses: super-linter/super-linter@v7.3.0
         env:
           DEFAULT_BRANCH: origin/main
           VALIDATE_ALL_CODEBASE: false # tells the linter to only check files that have been modified in the current pull request

.github/workflows/release-please.yml

@@ -14,7 +14,7 @@ jobs:
     name: '🔖 Release Please'
     runs-on: ubuntu-latest
     steps:
-    - uses: googleapis/release-please-action@v4.1.3
+    - uses: googleapis/release-please-action@v4.2.0
       with:
         release-type: terraform-module
         token: ${{ secrets.PAT_TOKEN }}