8000 Add dependabot license fixup script by williammartin · Pull Request #11269 · cli/cli · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add dependabot license fixup script #11269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Add dependabot license fixup script #11269

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,3 +114,7 @@ licenses:
.PHONY: licenses-check
licenses-check:
./script/licenses-check

.PHONY: fix-dependabot-licenses
fix-dependabot-licenses:
./script/fix-dependabot-licenses.sh
Comment on lines +118 to +120
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about adding a workflow to kick this off every day? Or even triggered by new dependabot PR creation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See PR description:

Big picture, it would be nice if this happened automatically and @andyfeller has pointed out docs in the past that might enable this, but I just thought I'd close out the day with some vibes.

I'm not going to do this for this PR, but would welcome follow up work to reduce the manual toil. There were security concerns about doing it on dependabot PR creation, which is why I do not want to get into it now.

Copy link
Member
@BagToad BagToad Jul 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that is doable, but definitely more challenging since Dependabot PRs trigger workflows as if the PR comes from a fork, so we would need to introduce a pull_request_target workflow, and that adds security considerations & complexity.

IMO let's wait and see if this is painful to run ourselves, and then if we feel it's needed, write a workflow in a future PR.

Edit: sorry this was sent before I saw Will's comment above. We're saying the same thing 🙂

87 changes: 87 additions & 0 deletions script/fix-dependabot-licenses.sh
View file
Open in desktop
802F
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
#!/bin/bash

# Fix dependabot PRs with failing "Check Licenses" step
# The reason this is required is because our CI requires third-party licenses
# to be updated when dependency bumps happen, but Dependabot does not do this.
# Usage: ./script/fix-dependabot-licenses.sh

set -e

echo "🔧 Running fix-dependabot-licenses - changes will be pushed"

if ! git diff --quiet || ! git diff --cached --quiet; then
echo "❌ Git working directory is not clean. Please commit or stash changes first."
exit 1
fi

echo "📋 Fetching open dependabot PRs..."

# Get all open PRs by dependabot
dependabot_prs=$(gh pr list --author "app/dependabot" --state open --json number,title)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thought: normally I've seen bots referred to as dependabot[bot] 🤔


if [[ -z "$dependabot_prs" || "$dependabot_prs" == "[]" ]]; then
echo "✅ No open dependabot PRs found"
exit 0
fi

echo "🔍 Found $(echo "$dependabot_prs" | jq '. | length') dependabot PRs"

# Process each PR
echo "$dependabot_prs" | jq -r '.[] | "\(.number) \(.title)"' | while read -r pr_number pr_title; do
echo ""
echo "🔍 Checking PR #$pr_number: $pr_title"

# Check if PR has failing lint step and get the first run ID
lint_link=$(gh pr checks "$pr_number" --json name,state,workflow,link | jq -r '.[] | select(.workflow == "Lint" and .name == "lint" and .state == "FAILURE") | .link' | head -1)

if [[ -n "$lint_link" ]]; then
# Extract run ID from the link
run_id=$(echo "$lint_link" | sed -E 's|.*/actions/runs/([0-9]+).*|\1|')
echo "❌ Found failing lint step in PR #$pr_number (run ID: $run_id)"

# Check if the specific "Check Licenses" step failed
if ! gh run view "$run_id" 2>/dev/null | grep "X Check licenses" > /dev/null; then
echo "✅ License check step is not failing in this run, skipping"
continue
fi

echo "❌ Confirmed: 'Check Licenses' step failed in run $run_id"

# Extract dependency name and version range from title for commit message
# Example: "chore(deps): bump golang.org/x/term from 0.32.0 to 0.33.0 #11266"
commitSuffix=$(echo "$pr_title" | sed -E 's/^chore\(deps\): //')

if [[ -z "$commitSuffix" ]]; then
echo "⚠️ Could not extract commit suffix from PR title: $pr_title"
echo "⚠️ Skipping this PR"
continue
fi

echo "📦 Commit Suffix: $commitSuffix"

echo "🔧 Checking out PR #$pr_number..."
gh pr checkout --force "$pr_number"

echo "🔧 Running 'make licenses'..."
make licenses

# Check if there are any changes to commit
if git diff --quiet && git diff --cached --quiet; then
echo "✅ No license changes needed for PR #$pr_number"
continue
fi

echo "🔧 Committing license changes..."
git add third-party/ third-party-licenses*
git commit -m "Fixed licenses for $commitSuffix"

echo "🔧 Pushing changes..."
git push
echo "✅ Fixed licenses for PR #$pr_number"
else
echo "✅ PR #$pr_number has passing/pending lint checks"
fi
done

echo ""
echo "✅ All applicable dependabot PRs have been processed."
Loading
0