diff --git a/.github/templates/dependabot.yml b/.github/templates/dependabot.yml new file mode 100644 index 0000000..e054379 --- /dev/null +++ b/.github/templates/dependabot.yml @@ -0,0 +1,73 @@ +# PM4 package: Laravel is provided by the host app; composer.json is only for this package's own PHP code/deps. +# JS build: Vue 2 + Laravel Mix (manifest: package.json). Built assets under public/js/ are not scanned by Dependabot. +# +# Policy: NO routine version-update PRs (open-pull-requests-limit: 0). +# Security/CVE PRs are handled by Dependabot security updates (org Settings → Code security). +# Security PRs are batched into one PR per ecosystem (patch/minor). +# Major security PRs will still open if no patch/minor fix exists — treat as manual review. +# +# Vue 2 pin: security fixes requiring Vue 3+ will be suppressed — accepted risk, +# migration not planned. Same applies to vue-loader, vue-template-compiler, @vue/cli. +# +# Webpack pin: develop lockfile pins 5.91.0; Dependabot security PRs may bump to 5.107+. +# 5.106.0 is the last release that still ships SizeFormatHelpers (Laravel Mix compat). +# Block webpack >= 5.107 so batched security PRs keep other bumps without breaking the build. +# +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +version: 2 +updates: + - package-ecosystem: npm + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 0 + ignore: + # If you ever raise `open-pull-requests-limit`, this skips routine major bumps. + # Note: update-types has no effect on security updates. + - dependency-name: "*" + update-types: ["version-update:semver-major"] + - dependency-name: "vue" + versions: [">=3.0.0"] # stay on Vue 2.x — suppresses security PRs requiring v3+ too + - dependency-name: "@vue/cli*" + versions: [">=5.0.0"] # CLI v5+ is Vue 3 era + - dependency-name: "vue-loader" + versions: [">=17.0.0"] # vue-loader v17+ drops Vue 2 support + - dependency-name: "vue-template-compiler" + versions: [">=3.0.0"] # must stay in sync with Vue 2.x + - dependency-name: "webpack" + versions: [">=5.107.0"] # 5.106.0 last with SizeFormatHelpers; block 5.107+ security bumps + groups: + npm-security: + applies-to: security-updates # batches all JS security PRs into one + patterns: # note: update-types has no effect here for security + - "*" + ignore: + - dependency-name: "vue" + versions: [">=3.0.0"] # stay on Vue 2.x — suppresses security PRs requiring v3+ too + - dependency-name: "@vue/cli*" + versions: [">=5.0.0"] # CLI v5+ is Vue 3 era + - dependency-name: "vue-loader" + versions: [">=17.0.0"] # vue-loader v17+ drops Vue 2 support + - dependency-name: "vue-template-compiler" + versions: [">=3.0.0"] # must stay in sync with Vue 2.x + - dependency-name: "webpack" + versions: [">=5.107.0"] # 5.106.0 last with SizeFormatHelpers; block 5.107+ security bumps + + - package-ecosystem: composer + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 0 + ignore: + # If you ever raise `open-pull-requests-limit`, this skips routine major bumps. + # Note: update-types has no effect on security updates. + - dependency-name: "*" + update-types: ["version-update:semver-major"] + groups: + composer-security: + applies-to: security-updates # batches all PHP security PRs into one + patterns: + - "*" + \ No newline at end of file diff --git a/.github/workflows/sync-dependabot.yml b/.github/workflows/sync-dependabot.yml new file mode 100644 index 0000000..f2be142 --- /dev/null +++ b/.github/workflows/sync-dependabot.yml @@ -0,0 +1,73 @@ +name: Sync Dependabot Config + +on: + workflow_dispatch: + push: + paths: + - '.github/templates/dependabot.yml' + - 'repos-dependabot.txt' + +jobs: + sync-dependabot: + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + persist-credentials: false + + - uses: ./.github/actions/setup-github-app-git + with: + private-key: ${{ secrets.PM_CICD_APP_PRIVATE_KEY }} + + - name: Sync Dependabot Config + env: + ORG_NAME: ProcessMaker + run: | + set -euo pipefail + + echo "Repositories accessible to this CICD app installation:" + mapfile -t ACCESSIBLE_REPOS < <( + gh api /installation/repositories --paginate --jq '.repositories[].name' | sort -u + ) + printf ' - %s\n' "${ACCESSIBLE_REPOS[@]}" + + while IFS= read -r repo || [ -n "$repo" ]; do + [ -z "$repo" ] && continue + [[ "$repo" =~ ^# ]] && continue + + echo "Processing $ORG_NAME/$repo" + + if ! printf '%s\n' "${ACCESSIBLE_REPOS[@]}" | grep -qx "$repo"; then + echo "::error::CICD app cannot access $ORG_NAME/$repo. Org install exists, but this repo is not in the app's repository access list. Add it at https://github.com/organizations/ProcessMaker/settings/installations (Configure → Repository access)." + exit 1 + fi + + rm -rf "$repo" + gh repo clone "$ORG_NAME/$repo" "$repo" -- --depth 1 + + mkdir -p "$repo/.github" + cp .github/templates/dependabot.yml "$repo/.github/dependabot.yml" + + cd "$repo" + + perms="$(gh api "repos/$ORG_NAME/$repo" --jq '.permissions')" + echo "Token permissions for $ORG_NAME/$repo: $perms" + if [ "$(echo "$perms" | jq -r '.push')" != "true" ]; then + echo "::error::Token cannot push to $ORG_NAME/$repo. On the org installation (not app settings), set Repository permissions → Contents to Read and write, then approve any pending permission request." + exit 1 + fi + + if git diff --quiet; then + echo "No changes for $repo" + else + git add .github/dependabot.yml + git commit -m "chore: sync dependabot config" + git push + fi + + cd .. + rm -rf "$repo" + + done < repos-dependabot.txt diff --git a/repos-dependabot.txt b/repos-dependabot.txt new file mode 100644 index 0000000..d7a419a --- /dev/null +++ b/repos-dependabot.txt @@ -0,0 +1,6 @@ +# Enterprise + +# Custom +package-thermofisher + +# MISC \ No newline at end of file