From ecc7584c036f480f150ba34d31e66b9181564832 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Feb 2026 12:16:49 +0000 Subject: [PATCH 1/3] Bump the repo-config group with 2 updates Bumps the repo-config group with 2 updates: [frequenz-repo-config[lib]](https://github.com/frequenz-floss/frequenz-repo-config-python) and [frequenz-repo-config[extra-lint-examples]](https://github.com/frequenz-floss/frequenz-repo-config-python). Updates `frequenz-repo-config[lib]` from 0.13.8 to 0.14.0 - [Release notes](https://github.com/frequenz-floss/frequenz-repo-config-python/releases) - [Changelog](https://github.com/frequenz-floss/frequenz-repo-config-python/blob/v0.x.x/RELEASE_NOTES.md) - [Commits](https://github.com/frequenz-floss/frequenz-repo-config-python/compare/v0.13.8...v0.14.0) Updates `frequenz-repo-config[extra-lint-examples]` from 0.13.8 to 0.14.0 - [Release notes](https://github.com/frequenz-floss/frequenz-repo-config-python/releases) - [Changelog](https://github.com/frequenz-floss/frequenz-repo-config-python/blob/v0.x.x/RELEASE_NOTES.md) - [Commits](https://github.com/frequenz-floss/frequenz-repo-config-python/compare/v0.13.8...v0.14.0) --- updated-dependencies: - dependency-name: frequenz-repo-config[lib] dependency-version: 0.14.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: repo-config - dependency-name: frequenz-repo-config[extra-lint-examples] dependency-version: 0.14.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: repo-config ... Signed-off-by: dependabot[bot] --- pyproject.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 15d4fbc..4c886ca 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ requires = [ "setuptools == 82.0.0", "setuptools_scm[toml] == 9.2.2", - "frequenz-repo-config[lib] == 0.13.8", + "frequenz-repo-config[lib] == 0.14.0", ] build-backend = "setuptools.build_meta" @@ -71,7 +71,7 @@ dev-mkdocs = [ "mkdocs-material == 9.7.3", "mkdocstrings[python] == 1.0.3", "mkdocstrings-python == 1.18.2", - "frequenz-repo-config[lib] == 0.13.8", + "frequenz-repo-config[lib] == 0.14.0", ] dev-mypy = [ "mypy == 1.19.1", @@ -81,7 +81,7 @@ dev-mypy = [ # For checking the noxfile, docs/ script, and tests "frequenz-client-microgrid[dev-mkdocs,dev-noxfile,dev-pytest]", ] -dev-noxfile = ["nox == 2026.2.9", "frequenz-repo-config[lib] == 0.13.8"] +dev-noxfile = ["nox == 2026.2.9", "frequenz-repo-config[lib] == 0.14.0"] dev-pylint = [ "pylint == 4.0.5", # For checking the noxfile, docs/ script, and tests @@ -89,7 +89,7 @@ dev-pylint = [ ] dev-pytest = [ "pytest == 9.0.2", - "frequenz-repo-config[extra-lint-examples] == 0.13.8", + "frequenz-repo-config[extra-lint-examples] == 0.14.0", "pytest-mock == 3.15.1", "pytest-asyncio == 1.3.0", "async-solipsism == 0.9", From 4df8275454ab3a30bb9a46df6aa77d101ea3df85 Mon Sep 17 00:00:00 2001 From: "frequenz-auto-dependabot[bot]" <261417025+frequenz-auto-dependabot[bot]@users.noreply.github.com> Date: Fri, 27 Feb 2026 12:17:06 +0000 Subject: [PATCH 2/3] Apply migration from 0.13.8 to 0.14.0 === v0.14.0 ========================================================= Script URL: https://raw.githubusercontent.com/frequenz-floss/frequenz-repo-config-python/v0.14.0/cookiecutter/migrate.py ======================================================================== Creating Dependabot auto-merge workflow... Created/Updated Dependabot auto-merge workflow at .github/workflows/auto-dependabot.yaml ======================================================================== Disabling CODEOWNERS review requirement in GitHub ruleset... Failed to get default branch: Command '['gh', 'api', 'repos/:owner/:repo', '--jq', '.default_branch']' returned non-zero exit status 1. >>> Failed to get default branch. Please manually disable the CODEOWNERS review requirement in the 'Protect version branches' ruleset at: GitHub repository settings > Rules ======================================================================== Updating the mkdocs.yml for mkdocstrings-python v2 compatibility... ======================================================================== Migration script finished. Remember to follow any manual instructions. ======================================================================== The migration completed successfully. --- .github/workflows/auto-dependabot.yaml | 30 ++++++-------------------- mkdocs.yml | 4 ++-- 2 files changed, 8 insertions(+), 26 deletions(-) diff --git a/.github/workflows/auto-dependabot.yaml b/.github/workflows/auto-dependabot.yaml index d3f5aa1..15ec7e4 100644 --- a/.github/workflows/auto-dependabot.yaml +++ b/.github/workflows/auto-dependabot.yaml @@ -1,39 +1,21 @@ name: Auto-merge Dependabot PR on: - # XXX: !!! SECURITY WARNING !!! - # pull_request_target has write access to the repo, and can read secrets. We - # need to audit any external actions executed in this workflow and make sure no - # checked out code is run (not even installing dependencies, as installing - # dependencies usually can execute pre/post-install scripts). We should also - # only use hashes to pick the action to execute (instead of tags or branches). - # For more details read: - # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ - pull_request_target: + pull_request: permissions: - contents: read + contents: write pull-requests: write jobs: auto-merge: - name: Auto-merge Dependabot PR - if: > - github.actor == 'dependabot[bot]' && - !contains(github.event.pull_request.title, 'the repo-config group') - runs-on: ubuntu-slim + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest steps: - - name: Generate GitHub App token - id: app-token - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 - with: - app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} - private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} - - name: Auto-merge Dependabot PR - uses: frequenz-floss/dependabot-auto-approve@e943399cc9d76fbb6d7faae446cd57301d110165 # v1.5.0 + uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2 with: - github-token: ${{ steps.app-token.outputs.token }} + github-token: ${{ secrets.GITHUB_TOKEN }} dependency-type: 'all' auto-merge: 'true' merge-method: 'merge' diff --git a/mkdocs.yml b/mkdocs.yml index 8c9fc5b..1cb74e3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -99,8 +99,8 @@ plugins: default_handler: python handlers: python: + paths: ["src"] options: - paths: ["src"] docstring_section_style: spacy inherited_members: true merge_init_into_class: false @@ -112,7 +112,7 @@ plugins: show_source: true show_symbol_type_toc: true signature_crossrefs: true - import: + inventories: # See https://mkdocstrings.github.io/python/usage/#import for details - https://docs.python.org/3/objects.inv - https://frequenz-floss.github.io/frequenz-api-common/v0.5/objects.inv From 287702f4c8d1fda797b8260e8095d95322e18847 Mon Sep 17 00:00:00 2001 From: Leandro Lucarella Date: Fri, 27 Feb 2026 13:34:44 +0100 Subject: [PATCH 3/3] Revert auto-dependabot workflow This workflow was already updated to a newer version than the one available in repo-config v0.14.0, so the migration actually rolled-back some fixes for this workflow. Signed-off-by: Leandro Lucarella --- .github/workflows/auto-dependabot.yaml | 30 ++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/.github/workflows/auto-dependabot.yaml b/.github/workflows/auto-dependabot.yaml index 15ec7e4..d3f5aa1 100644 --- a/.github/workflows/auto-dependabot.yaml +++ b/.github/workflows/auto-dependabot.yaml @@ -1,21 +1,39 @@ name: Auto-merge Dependabot PR on: - pull_request: + # XXX: !!! SECURITY WARNING !!! + # pull_request_target has write access to the repo, and can read secrets. We + # need to audit any external actions executed in this workflow and make sure no + # checked out code is run (not even installing dependencies, as installing + # dependencies usually can execute pre/post-install scripts). We should also + # only use hashes to pick the action to execute (instead of tags or branches). + # For more details read: + # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + pull_request_target: permissions: - contents: write + contents: read pull-requests: write jobs: auto-merge: - if: github.actor == 'dependabot[bot]' - runs-on: ubuntu-latest + name: Auto-merge Dependabot PR + if: > + github.actor == 'dependabot[bot]' && + !contains(github.event.pull_request.title, 'the repo-config group') + runs-on: ubuntu-slim steps: + - name: Generate GitHub App token + id: app-token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + with: + app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} + private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} + - name: Auto-merge Dependabot PR - uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2 + uses: frequenz-floss/dependabot-auto-approve@e943399cc9d76fbb6d7faae446cd57301d110165 # v1.5.0 with: - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ steps.app-token.outputs.token }} dependency-type: 'all' auto-merge: 'true' merge-method: 'merge'