ci:👷 add dependabot version updates (#373)

solid-design-system · Sep 14, 2023 · 7d42e05 · 7d42e05
1 parent 8d83132
commit 7d42e05
Show file tree

Hide file tree

Showing 4 changed files with 100 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,66 @@
+name: (deps) Update dependencies
+
+version: 2
+updates:
+  # Enable version updates at root 
+  - package-ecosystem: "npm"
+    # Look for `package.json` and `lock` files in the `root` directory
+    directory: "/"
+    # Check the pnpm registry for updates every day (weekdays)
+    schedule:
+      interval: "daily"
+      time: "03:00"
+      timezone: "Europe/Berlin"
+    labels:
+      - "npm dependencies"
+      - "root"
+    reviewers:
+      - "solid-design-system/development"
+    # Set limit to 0 to disable Dependabot PRs entirely.
+    open-pull-requests-limit: 3
+
+  # Enable version updates for Components package
+  - package-ecosystem: "npm"
+    directory: "/packages/components/"
+    schedule:
+      interval: "daily"
+      time: "03:00"
+      timezone: "Europe/Berlin"
+    labels:
+      - "npm dependencies"
+      - "components"
+    reviewers:
+      - "solid-design-system/development"
+    # Set limit to 0 to disable Dependabot PRs entirely.
+    open-pull-requests-limit: 5
+
+
+  # Enable version updates for Placeholders package
+  - package-ecosystem: "npm"
+    directory: "/packages/placeholders/"
+    schedule:
+      interval: "daily"
+      time: "03:00"
+      timezone: "Europe/Berlin"
+    labels:
+      - "npm dependencies"
+      - "placeholders"
+    reviewers:
+      - "solid-design-system/development"
+    # Set limit to 0 to disable Dependabot PRs entirely.
+    open-pull-requests-limit: 1
+
+  # Enable version updates for Tokens package
+  - package-ecosystem: "npm"
+    directory: "/packages/tokens/"
+    schedule:
+      interval: "daily"
+      time: "03:00"
+      timezone: "Europe/Berlin"
+    labels:
+      - "npm dependencies"
+      - "tokens"
+    reviewers:
+      - "solid-design-system/development"
+    # Set limit to 0 to disable Dependabot PRs entirely.
+    open-pull-requests-limit: 1
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -0,0 +1,14 @@
+name: (deps) Automatic PR merge
+
+on: pull_request_target
+
+jobs:
+  auto-merge:
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ahmadnassri/[email protected]
+        with:
+          target: patch
+          github-token: ${{secrets.PAT_RELEASE_KARL}}
diff --git a/.github/workflows/pull-request-automation.yml b/.github/workflows/pull-request-automation.yml
@@ -0,0 +1,14 @@
+name: (deps) Automatic PR approval
+
+on: [pull_request_target]
+jobs:
+  automate-pullrequest-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Approve dependabot PR
+        if: ${{ github.actor == 'dependabot[bot]' }}
+        uses: andrewmusgrave/[email protected]
+        with:
+          repo-token: ${{ secrets.PAT_RELEASE_KARL}}
+          event: APPROVE
+          body: 'Thank you dependabot 🎊'
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -39,6 +39,12 @@
   Components should use these tokens instead of individual styles as much as possible. Only where the tokens do not provide a styling, component specific styles should be added inside the [component-name].ts file
 - Components should be optimized for accessibility. Check the website of the [Web Content Accessibility Guidelines (WCAG)](https://www.w3.org/WAI/standards-guidelines/wcag/) for more information on accessibility.
 
+## Adding Dependecies
+
+When utilizing external dependencies, it's crucial to prioritize security. Before integrating a new package, research it online, check for security advisories and community feedback, and assess its maintenance status and compatibility.
+
+We highly recommend to use websites e.g. https://nvd.nist.gov/vuln/search to check a dependency/package before adding them to the project.
+
 ## Migration Guides
 
 Each new component in the Solid Design System, representing an old component from the Component Library, must have a migration guide. This helps developers to easily switch from the old component to the new one. The migration guide should be placed in the `packages/components/src/docs/Migration` folder. The migration guide should base on the [migration guide template](./templates/migration-guide-template.mdx) and be named by the old component name (e.g.`ui-button.mdx`).