feat: add process-dependabot-reusable workflow (Bash-based alternative) by ppkarwasz · Pull Request #419 · apache/logging-parent (original) (raw)

…ive)

This PR introduces a reusable GitHub Actions workflow, process-dependabot-reusable, designed to streamline the handling of Dependabot pull requests across repositories — implemented entirely with shell scripts.

This serves as a Bash-based alternative to #418, which uses TypeScript.

🔄 Key Differences from #418

• Trigger: Runs on pull_request_target (not push), which is required by the dependabot/fetch-metadata action.

• Implementation: Written using standard POSIX tools with a few dependencies:

  • bash – some Bash-specific constructs are used
  • jq – for processing JSON output from dependabot/fetch-metadata
  • xmlstarlet – for parsing pom.xml and generating a changelog XML file
  • git – to commit and push any changes
  • gh – to enable "auto-merge" on the pull request

This approach avoids the Node.js/TypeScript toolchain and relies only on standard CLI tools commonly available in CI environments.

The apt command is not recommended for scripting.

This change splits the Dependabot automation into two reusable workflows:

• Unprivileged workflow (analyze-dependabot-reusable): Runs on pull_request with no permissions. It analyzes Dependabot PRs and generates metadata safely.

• Privileged workflow (process-dependabot-reusable): Uses the metadata from the unprivileged step to generate changelog files and enable the "auto-merge" option. Requires access to our GPG key and Personal Access Token.

ppkarwasz added a commit to ppkarwasz/infrastructure-actions that referenced this pull request

Oct 26, 2025

…etadata`

This PR allows the usage of the ppkarwasz/fetch-metadata GitHub Action as an alternative to dependabot/fetch-metadata in ASF repositories.

The ppkarwasz/fetch-metadata action is a personal improvement of the original dependabot/fetch-metadata, adding support for grouped Dependabot pull requests, a feature that is currently missing from the upstream action. The implementation has already been reviewed and approved by the Dependabot team (see dependabot/fetch-metadata#632), but the upstream project has been inactive for several months, likely due to reduced maintenance capacity at GitHub. This has prevented the improvement from being merged and released.

Why this change is needed

In Apache Logging Services, every pull request must include a changelog entry. Previously, under CTR, we used a workflow that automatically added the changelog entry and merged the PR.

Since switching to RTC, this automation can no longer complete the merge step, resulting in repositories accumulating unmerged Dependabot PRs that must be:

• manually reviewed,
• updated with an empty commit to re-trigger required status checks,
• and merged by hand.

We already have an improved workflow in place (see apache/logging-parent#419) that provides:

• Security enhancements through separation of privileged and unprivileged workflows (ppkarwasz/fetch-metadata is used only in the unprivileged workflow),
• Automatic merge using auto-merge instead of manual merging, and
• Support for grouped Dependabot PRs (reducing noise to ~1 PR per repository per month).

The final item, grouped PR support, requires the ppkarwasz/fetch-metadata action.

Co-authored-by: Volkan Yazıcı volkan@yazi.ci

Removes the parameters that can be computed.

Co-authored-by: Copilot 175728472+Copilot@users.noreply.github.com

This changes:

• Moves reusable workflows to the gha/v0 branch (#473).
• Creates Dependabot workflows for logging-parent.

vy approved these changes May 2, 2026

ppkarwasz added a commit that referenced this pull request

May 2, 2026

This changes moves the reusable workflows from #419 to gha/v0 and leaves the documentation in main.

ppkarwasz deleted the feat/dependabot-add-changelog2 branch

May 2, 2026 19:36

ppkarwasz added a commit to apache/logging-log4j2 that referenced this pull request

May 2, 2026

Wire up the reusable workflows from apache/logging-parent#419 to:

• Generate changelog entries for Dependabot PRs.
• Re-run build checks on the newly created commit.
• Enable auto-merge, which only merges once required checks pass and a maintainer approves.

Together, these allow merging Dependabot PRs in a single click.

Also add a concurrency setting to build.yaml and codeql-analysis.yaml so superseded PR commits stop consuming runners.

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})