updates from upstream

.github/workflows/readme.yml

@@ -16,13 +16,13 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      - uses: docker://pandoc/core:2.9
+      - uses: docker://pandoc/core:2.11.4
         with:
           args: >-
             --metadata-file=colophon.yml
             --template=docs/README.template
             --output=README.md
-            --from=markdown_github+yaml_metadata_block
+            --from=gfm
             --to=gfm
             --fail-if-warnings
             --wrap=preserve

.github/workflows/release.yml

@@ -22,6 +22,8 @@ jobs:
       - uses: actions/checkout@v2
       - id: release
         uses: ahmadnassri/action-semantic-release@v1
+        with:
+          config: ${{ github.workspace }}/.semantic.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -59,7 +61,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/cache@v2
+      - uses: actions/cache@v2.1.4
         with:
           path: /tmp/.buildx-cache
           key: buildx-${{ github.sha }}

.github/workflows/super-linter.yml

@@ -25,5 +25,6 @@ jobs:
       - uses: actions/checkout@v2
       - uses: github/super-linter@v3
         env:
+          LOG_LEVEL: ERROR
           VALIDATE_ALL_CODEBASE: false
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/test.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/[email protected].2
+      - uses: actions/[email protected].4
       - run: npm audit --audit-level=critical
 
   test:
@@ -40,11 +40,11 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      - uses: actions/[email protected].2
+      - uses: actions/[email protected].4
         with:
           node-version: 14
 
-      - uses: actions/cache@v2
+      - uses: actions/cache@v2.1.4
         with:
           path: ~/.npm
           key: ${{ hashFiles('**/package-lock.json') }}

README.md

@@ -16,7 +16,7 @@ Automatically merge Dependabot PRs when version comparison is within range.
 name: auto-merge
 
 on:
-  pull_request:
+  pull_request_target:
 
 jobs:
   auto-merge:
@@ -85,34 +85,33 @@ steps:
 
 ### Inputs
 
-| input          | required | default        | description                                         |
-| -------------- | -------- | -------------- | --------------------------------------------------- |
-| `github-token` | ✔        | `github.token` | The GitHub token used to merge the pull-request     |
-| `target`       | ❌       | `patch`        | The version comparison target (major, minor, patch) |
-| `command`      | ❌       | `merge`        | The command to pass to Dependabot                   |
-| `approve`      | ❌       | `true`         | Auto-approve pull-requests                          |
+| input          | required | default                  | description                                         |
+|----------------|----------|--------------------------|-----------------------------------------------------|
+| `github-token` | ✔        | `github.token`           | The GitHub token used to merge the pull-request     |
+| `config`       | ✔        | `.github/auto-merge.yml` | Path to configuration file *(relative to root)*     |
+| `target`       | ❌        | `patch`                  | The version comparison target (major, minor, patch) |
+| `command`      | ❌        | `merge`                  | The command to pass to Dependabot                   |
+| `approve`      | ❌        | `true`                   | Auto-approve pull-requests                          |
 
 ### Token Scope
 
 The GitHub token is a [Personal Access Token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with the following scopes:
 
-- `repo` for private repositories
-- `public_repo` for public repositories
+-   `repo` for private repositories
+-   `public_repo` for public repositories
 
 The token MUST be created from a user with **`push`** permission to the repository.
 
 > ℹ _see reference for [user owned repos](https://docs.github.com/en/github/setting-up-and-managing-your-github-user-account/permission-levels-for-a-user-account-repository) and for [org owned repos](https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/repository-permission-levels-for-an-organization)_
 
 ### Configuration file syntax
 
-Using the configuration file `.github/auto-merge.yml`, you have the option to provide a more fine-grained configuration. The following example configuration file merges
+Using the configuration file *(specified with `config` input)*, you have the option to provide a more fine-grained configuration. The following example configuration file merges
 
-- minor updates for `aws-sdk`
-- minor development dependency updates
-- patch production dependency updates
-- minor security-critical production dependency updates
-
-<!-- end list -->
+-   minor updates for `aws-sdk`
+-   minor development dependency updates
+-   patch production dependency updates
+-   minor security-critical production dependency updates
 
 ```yaml
 - match:
@@ -135,21 +134,21 @@ Using the configuration file `.github/auto-merge.yml`, you have the option to pr
 #### Match Properties
 
 | property          | required | supported values                           |
-| ----------------- | -------- | ------------------------------------------ |
-| `dependency_name` | ❌       | full name of dependency, or a regex string |
-| `dependency_type` | ❌       | `all`, `production`, `development`         |
+|-------------------|----------|--------------------------------------------|
+| `dependency_name` | ❌        | full name of dependency, or a regex string |
+| `dependency_type` | ❌        | `all`, `production`, `development`         |
 | `update_type`     | ✔        | `all`, `security:*`, `semver:*`            |
 
 > **`update_type`** can specify security match or semver match with the syntax: `${type}:${match}`, e.g.
 >
-> - **security:patch**  
->   SemVer patch update that fixes a known security vulnerability
+> -   **security:patch**
+>     SemVer patch update that fixes a known security vulnerability
 >
-> - **semver:patch**  
->   SemVer patch update, e.g. \> 1.x && 1.0.1 to 1.0.3
+> -   **semver:patch**
+>     SemVer patch update, e.g. &gt; 1.x && 1.0.1 to 1.0.3
 >
-> - **semver:minor**  
->   SemVer minor update, e.g. \> 1.x && 2.1.4 to 2.3.1
+> -   **semver:minor**
+>     SemVer minor update, e.g. &gt; 1.x && 2.1.4 to 2.3.1
 >
 > To allow `prereleases`, the corresponding `prepatch`, `preminor` and `premajor` types are also supported
 
@@ -172,22 +171,22 @@ However, **`in_range` is not supported yet**.
 
 1.  Parsing of _version ranges_ is not currently supported
 
-<!-- end list -->
+<!-- -->
 
     Update stone requirement from ==1.* to ==3.*
     requirements: update sphinx-autodoc-typehints requirement from <=1.11.0 to <1.12.0
     Update rake requirement from ~> 10.4 to ~> 13.0
 
-1.  Parsing of non semver numbering is not currently supported
+2.  Parsing of non semver numbering is not currently supported
 
-<!-- end list -->
+<!-- -->
 
     Bump actions/cache from v2.0 to v2.1.2
     chore(deps): bump docker/build-push-action from v1 to v2
 
-1.  Sometimes Dependabot does not include the "from" version, so version comparison logic is impossible:
+3.  Sometimes Dependabot does not include the "from" version, so version comparison logic is impossible:
 
-<!-- end list -->
+<!-- -->
 
     Update actions/setup-python requirement to v2.1.4
     Update actions/cache requirement to v2.1.2

action.yml

@@ -10,6 +10,11 @@ inputs:
     description: The GitHub token used to merge the pull-request
     required: true
 
+  config:
+    description: Path to configuration file (relative to root)
+    default: .github/auto-merge.yml
+    required: false
+
   command:
     description: The command to pass to Dependabot as a comment
     default: merge

action/index.js

@@ -9,7 +9,7 @@ import github from '@actions/github'
 import main from './lib/index.js'
 
   // exit early
-if (github.context.eventName !== 'pull_request') {
+if (!['pull_request_target', 'pull_request'].includes(github.context.eventName)) {
   core.error('action triggered outside of a pull_request')
   process.exit(1)
 }
@@ -26,6 +26,7 @@ if (!sender || !['dependabot[bot]', 'dependabot-preview[bot]'].includes(sender.l
 // parse inputs
 const inputs = {
   token: core.getInput('github-token', { required: true }),
+  config: core.getInput('config', { required: false }),
   target: core.getInput('target', { required: false }),
   command: core.getInput('command', { required: false }),
   approve: core.getInput('approve', { required: false })

action/lib/config.js

@@ -7,22 +7,22 @@ import core from '@actions/core'
 import yaml from 'js-yaml'
 
 // default value is passed from workflow
-export default function ({ workspace, target }) {
-  const configPath = path.join(workspace, '.github', 'auto-merge.yml')
-
-  let config
+export default function ({ workspace, inputs }) {
+  const configPath = path.join(workspace || '', inputs.config || '.github/auto-merge.yml')
 
   // read auto-merge.yml to determine what should be merged
   if (fs.existsSync(configPath)) {
     // parse .github/auto-merge.yml
     const configYaml = fs.readFileSync(configPath, 'utf8')
-    config = yaml.safeLoad(configYaml)
+    const config = yaml.safeLoad(configYaml)
     core.info('loaded merge config: \n' + configYaml)
-  } else {
-    // or convert the input "target" to the equivalent config
-    config = [{ match: { dependency_type: 'all', update_type: `semver:${target}` } }]
-    core.info('using workflow\'s "target": \n' + yaml.safeDump(config))
+
+    return config
   }
 
+  // or convert the input "target" to the equivalent config
+  const config = [{ match: { dependency_type: 'all', update_type: `semver:${inputs.target}` } }]
+  core.info('using workflow\'s "target": \n' + yaml.safeDump(config))
+
   return config
 }

action/lib/index.js

@@ -20,7 +20,7 @@ export default async function (inputs) {
   const proceed = parse({
     title: pull_request.title,
     labels: pull_request.labels.map(label => label.name.toLowerCase()),
-    config: config({ workspace, target: inputs.target }),
+    config: config({ workspace, inputs }),
     dependencies: dependencies(workspace)
   })
 

action/package.json

@@ -22,7 +22,7 @@
     "semver": "^7.3.4"
   },
   "devDependencies": {
-    "sinon": "^9.2.1",
+    "sinon": "^9.2.4",
     "tap": "^14.11.0"
   }
 }

action/test/fixtures/.github/auto-merge.yml

@@ -0,0 +1 @@
+../config-valid.yml

action/test/fixtures/config-valid.yml

@@ -0,0 +1,3 @@
+- match:
+    dependency_type: development
+    update_type: semver:minor

action/test/parse/config-load.js

@@ -0,0 +1,58 @@
+// packages
+import tap from 'tap'
+import sinon from 'sinon'
+
+import core from '@actions/core'
+
+// module
+import config from '../../lib/config.js'
+
+import path from 'path'
+const __dirname = path.resolve()
+
+const workspace = `${__dirname}/test/fixtures/`
+
+tap.test('input.config --> default', async assert => {
+  assert.plan(2)
+
+  sinon.stub(core, 'info') // silence output on terminal
+
+  const expected = [{ match: { dependency_type: 'development', update_type: 'semver:minor' } }]
+
+  const result = config({ workspace, inputs: { } })
+
+  assert.match(core.info.getCall(-1)?.firstArg, 'loaded merge config')
+  assert.match(result, expected)
+
+  core.info.restore()
+})
+
+tap.test('input.config --> custom', async assert => {
+  assert.plan(2)
+
+  sinon.stub(core, 'info') // silence output on terminal
+
+  const expected = [{ match: { dependency_type: 'development', update_type: 'semver:minor' } }]
+
+  const result = config({ workspace, inputs: { config: 'config-valid.yml' } })
+
+  assert.match(core.info.getCall(-1)?.firstArg, 'loaded merge config')
+  assert.match(result, expected)
+
+  core.info.restore()
+})
+
+tap.test('input.config --> no file', async assert => {
+  assert.plan(2)
+
+  sinon.stub(core, 'info') // silence output on terminal
+
+  const expected = [{ match: { dependency_type: 'all', update_type: 'semver:patch' } }]
+
+  const result = config({ inputs: { target: 'patch' } })
+
+  assert.match(core.info.getCall(-1)?.firstArg, 'using workflow\'s "target":')
+  assert.match(result, expected)
+
+  core.info.restore()
+})