From a091435952364551744e08829dd5e3e79ac52c87 Mon Sep 17 00:00:00 2001 From: John Mertic Date: Fri, 17 Apr 2026 13:49:39 -0400 Subject: [PATCH 1/4] Update GitHub Actions workflow with permissions and concurrency --- .github/workflows/build.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a38bc911..0703bfa5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,11 +5,20 @@ on: schedule: - cron: "0 11 * * *" +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: build: runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - - uses: jmertic/lfx-landscape-tools@main + - uses: jmertic/lfx-landscape-tools@d34c5300ea55dae32df9fac122a924d2f85fbb87 # 20260415 with: project_processing: skip env: From 1bbb14491202858ed351faebe7a7242cc470ae89 Mon Sep 17 00:00:00 2001 From: John Mertic Date: Fri, 17 Apr 2026 13:54:52 -0400 Subject: [PATCH 2/4] Update GitHub Actions workflow for landscape validation --- .github/workflows/validate.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 327a4f8b..1ac084a2 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -7,20 +7,23 @@ on: - main - master +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: validate-landscape: runs-on: ubuntu-latest name: "Validate landscape.yml file" + permissions: + contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: cncf/landscape2-validate-action@7f299c46e9b03b4e8bc2896882734fb0b0756b37 # v2.0.0 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: cncf/landscape2-validate-action@6381e8747c73412e638670807b402ef2b863e9f8 # v2.0.1 with: target_kind: data target_path: ./landscape.yml - - uses: pascalgn/automerge-action@7961b8b5eec56cc088c140b56d864285eabd3f67 # v0.16.4 - if: success() - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - MERGE_LABELS: "automated-build" - MERGE_RETRY_SLEEP: 300000 - MERGE_METHOD: "squash" From 599e8c5cd7a75cdefa39c221f54d9e2e5d64c059 Mon Sep 17 00:00:00 2001 From: John Mertic Date: Fri, 17 Apr 2026 13:55:20 -0400 Subject: [PATCH 3/4] Create dependabot-automerge.yml --- .github/workflows/dependabot-automerge.yml | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/dependabot-automerge.yml diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml new file mode 100644 index 00000000..a201c4a3 --- /dev/null +++ b/.github/workflows/dependabot-automerge.yml @@ -0,0 +1,33 @@ +name: Auto-merge Dependabot PRs + +on: + pull_request: + types: [opened, synchronize, reopened] + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Approve PR + run: | + gh pr review --approve "${{ github.event.pull_request.number }}" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Enable auto-merge + run: | + gh pr merge \ + --squash \ + --auto \ + "${{ github.event.pull_request.number }}" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From f16de44f81c0989b96ec4ae1ce35215110a7bdd4 Mon Sep 17 00:00:00 2001 From: John Mertic Date: Fri, 17 Apr 2026 13:55:40 -0400 Subject: [PATCH 4/4] Add Dependabot configuration for GitHub Actions --- .github/dependabot.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..56129da2 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,9 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + all: + dependency-type: "production"