Auto-rebuild & auto-merge theme-asset Dependabot PRs (+ verify check)#1265
Open
CybotTM wants to merge 4 commits into
Open
Auto-rebuild & auto-merge theme-asset Dependabot PRs (+ verify check)#1265CybotTM wants to merge 4 commits into
CybotTM wants to merge 4 commits into
Conversation
Contributor
|
So, "allow auto merge" is enabled. The App secrets should exist. I'm not sure what you mean with "verify status" though. The only "verify" I can find under branch protection is the one here: 
and I don't think we can require that... |
Contributor
Author
|
"verify" status check means the "verify" job: It must be required to ensure the PR does not get (auto-)merged when it fails. 
You may only be able to set it after merge. And regarding the "signed commits", IMO they should be required along with signed-off commits. You can easily enable it for all commits: after registering your ssh key in GitHub → SSH and GPG keys → Signing keys |
CybotTM
force-pushed
the
feat/dependabot-asset-rebuild
branch
from
c0de53a to
35f1f45
Compare
Contributor
Author
|
I will check failing "Main / Validate monorepo structure (pull_request)Failing after 36s" |
The composer entry used 'ignored-updates:' with a nested 'match:' block, which is not part of Dependabot's schema. Dependabot refuses to parse the file, which disables ALL dependency updates for the repo. Replace it with the schema-valid 'ignore:' key and flat entries. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
packages/typo3-docs-theme/ commits generated frontend assets (Vite output in assets/js/, Grunt output in resources/public/). If a change edits the theme sources but does not regenerate those assets, stale assets reach the rendered docs. This adds a status-check workflow that rebuilds the theme on a pull request and fails if the committed assets differ from a fresh build — catching both modified tracked files and new untracked output, with a single actionable annotation. It runs on every pull request (no paths filter) and short-circuits to success when the theme package is untouched, so it can safely be a required status check: a path-filtered required check never reports on unrelated PRs and would leave them un-mergeable. Least privilege: empty top-level permissions, job-level contents:read; harden-runner egress in block mode. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
A Dependabot bump of a theme dependency changes the build output but Dependabot cannot regenerate the committed assets, so the bump alone fails the check-built-assets gate. This adds a workflow that, on those Dependabot PRs, rebuilds the assets, commits them back, and enables auto-merge. * pull_request_target + 'if: github.actor == dependabot[bot]' (matches the existing pr-auto-merge.yaml convention). * PR head pinned by SHA; a lockfile-only diff guard; npm ci --ignore-scripts; harden-runner egress in block mode. * The App token is minted AFTER the build so a compromised build dependency cannot read it; the GITHUB_TOKEN stays read-only. * The rebuilt files are committed through the GitHub API (createCommitOnBranch) with the App token, not git push, so the commit is GitHub-signed (Verified) and re-triggers the asset check on the new commit. Requires a GitHub App (Contents + Pull requests: write) and APP_ID / APP_PRIVATE_KEY secrets. * Auto-merge is enabled here, after the rebuild commit is in place, so pr-auto-merge.yaml is updated to skip PRs that update the theme package's dependencies (otherwise it squashes the bump before the rebuild lands). Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Point the theme-customization developer docs at the asset check and the Dependabot auto-rebuild, and state the local rebuild command contributors run before committing. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
CybotTM
force-pushed
the
feat/dependabot-asset-rebuild
branch
from
35f1f45 to
396fdcf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
packages/typo3-docs-theme/commits its built frontend assets — the Vite output underassets/js/and the Grunt output underresources/public/. Those committed files drift out of sync two ways:What this adds
check-built-assets.yaml— on every pull request, rebuilds the theme and fails if the committed assets don't match a fresh build (catches both modified and newly-generated files, one actionable annotation). It runs on every PR and short-circuits to success when the theme package is untouched, so it can be a required status check without blocking unrelated PRs.dependabot-rebuild-assets.yaml— when Dependabot opens a PR that updates a theme dependency, rebuilds the assets, commits them back (GitHub-signed / Verified, via a GitHub App), and enables auto-merge.pr-auto-merge.yaml— the existing generic Dependabot auto-merge is updated to skip these theme-dependency PRs; the workflow above handles them, after the rebuild commit is in place.dependabot.yml— fixes an invalid key (ignored-updates) that currently prevents Dependabot from parsing the config at all. Prerequisite for everything above, and a standalone bug worth fixing regardless.Documentation/Developer/ThemeCustomization.rst.Setup the repository must have (settings, not code)
APP_ID/APP_PRIVATE_KEY. (The org already runs one for the backport workflow —reusable-backport.ymluses the same secret names.)verifystatus check.Security model
dependabot-rebuild-assets.yamlusespull_request_target(the same reasonpr-auto-merge.yamlalready does). Hardening: actor gated todependabot[bot]; checkout pinned to the PR head SHA; a lockfile-only diff guard (refuse to build if anything butpackage.json/package-lock.jsonchanged);npm ci --ignore-scripts;harden-runneregress in block mode; the workflowGITHUB_TOKENis read-only and all writes use the App token; the App token is minted after the build so build code can't read it; the commit is created via the GitHub API (createCommitOnBranch) so it is GitHub-signed and re-triggersverifyon the new commit.Residual risk (accepted, full hands-off chosen): because patch/minor theme bumps auto-merge, a freshly-bumped (potentially compromised) dependency's build-time code runs and its output is merged without a human in the loop. The guards above shrink this (no install scripts, blocked egress, lockfile-only diff, no token exposed to the build) but do not eliminate it. A repo that prefers a checkpoint can drop the "Enable auto-merge" step and merge these PRs manually, or restrict auto-merge to patch-only.
Validation
Proven end-to-end on a fork (
CybotTM/render-guides): non-theme PR →verifyskips green; stale-theme PR →verifyfails and merge is blocked; Dependabot bump → Verified rebuild commit →verifyre-runs on that commit → hands-off auto-merge →mainleft with correct assets. Reviewed across security, syntax, state-of-the-art, and documentation.Not included
A Node-24
engines/.nvmrcbump was kept out as an unrelated change; happy to send it separately if wanted.