bdk icon indicating copy to clipboard operation
bdk copied to clipboard

Published 20 hours ago verified publisher icon bitcoindevkit

ci: fix dependabot for audit and cont_integration workflows

Open notmandatory opened this issue 11 months ago • 2 comments

Description

We are getting errors on dependabot generated PRs. See:

https://github.com/bitcoindevkit/bdk/actions/runs/8310897352 https://github.com/bitcoindevkit/bdk/actions/runs/8310897348

To fix this one of the recommended solutions is to exclude push triggered workflow runs for the dependabot created PR branches, push trigger is sufficient. See: Error: 403 "Resource not accessible by integration".

Notes to the reviewers

An alternative fix is to remove the push trigger but this seemed like a smaller change and the audit workflow only uses the push trigger and I'm not sure if it will break if we switch it to use pull_request instead.

It's a little annoying having dependabot create PRs but since it only triggers on security related issues it's worth having so we don't forget to do those updates.

Changelog notice

None.

Checklists

All Submissions:

  • [x] I've signed all my commits
  • [x] I followed the contribution guidelines
  • [x] I ran cargo fmt and cargo clippy before committing

notmandatory avatar Mar 16 '24 23:03 notmandatory

@storopoli have you run into this issue before with dependabot and any thoughts on if this is the best way to fix it?

notmandatory avatar Mar 16 '24 23:03 notmandatory

Digging a little on this one by looking at:

We can definitely add the ignore as you are doing, or we can try to add the necessary permissions as well. Something like this:

jobs:
  security_audit:
    runs-on: ubuntu-20.04
    permissions:
      security_events: write

I am fine with both approaches. I think that security audits would be nice to have in dependabot PRs, since it is primarily updating dependencies. I am fond of having a Cargo.lock committed and updating it through dependabot, see Dependabot cargo. It will be much easier than the current pinning approach.

The Nix CI will add a Cargo.lock (#1320) and the next logical step, which I was already planning, was to add Cargo updates to dependabot.

storopoli avatar Mar 18 '24 12:03 storopoli

Is this still an issue ? Also, I haven't seen any suggestion/updates by dependabot in a while 🤔.

FWIW, fedimint uses a separate dependabot.yml CI job AFAICT it works fine, this one: https://github.com/fedimint/fedimint/blob/master/.github/dependabot.yml

oleonardolima avatar Sep 06 '24 00:09 oleonardolima

@oleonardolima thanks for the tip, I'll take a look at how fedimint is doing it and possibly rework this PR.

notmandatory avatar Sep 16 '24 23:09 notmandatory