Dependabot changelogs: trigger CI explicitly (#14027)

* Dependabot changelogs: trigger CI explicitly * Changelog * Use merge ref, not head ref ref ref ref ref ref * explanatory note
2022-10-03 17:16:45 +01:00 · 2022-10-03 17:16:45 +01:00 · 2d5ce8c087
parent 4cceb6ba66
commit 2d5ce8c087
4 changed files with 22 additions and 4 deletions
--- a/.github/workflows/dependabot_changelog.yml
+++ b/.github/workflows/dependabot_changelog.yml
@ -3,16 +3,13 @@ on:
  pull_request:
    types:
      - opened
-      - reopened
+      - reopened  # For debugging!

 permissions:
  # Needed to be able to push the commit. See 
  #     https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
  # for a similar example
  contents: write
-  # The pull_requests "synchronize" event doesn't seem to fire with just `contents: write`, so
-  # CI doesn't run with the new changelog. Maybe `pull_requests: write` will fix this?
-  pull-requests: write

 jobs:
  add-changelog:
@ -31,5 +28,23 @@ jobs:
          git commit -m "Changelog"
          git push
        shell: bash
+      # We have to explicitly start CI.
+      #
+      # By default, workflows can't trigger other workflows when they're just using the
+      # default `GITHUB_TOKEN` access token. (This is intended to stop you from writing
+      # recursive workflow loops by accident, because that'll get very expensive very
+      # quickly.) Instead, you have to manually call out to another workflow, or else
+      # make your changes (i.e. the `git push` above) using a personal access token.
+      # See
+      # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
+      - name: Trigger CI
+        # Note: we use $GITHUB_REF here to run PR against the merge of this change with
+        # develop; use github.event.pull_request.head.ref above to commit to the PR
+        # branch.
+        run: |
+          gh workflow run "tests.yml" --ref "$GITHUB_REF"
+          gh workflow run "release-artifacts.yml" --ref "$GITHUB_REF"
+        shell: bash
+
  # THIS WORKFLOW HAS VARIOUS WRITE PERMISSIONS---do not add other jobs here unless they
  # are sufficiently locked down to dependabot only as above.
--- a/.github/workflows/release-artifacts.yml
+++ b/.github/workflows/release-artifacts.yml
@ -11,6 +11,7 @@ on:

    # we do the full build on tags.
    tags: ["v*"]
+  workflow_dispatch:

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -4,6 +4,7 @@ on:
  push:
    branches: ["develop", "release-*"]
  pull_request:
+  workflow_dispatch:

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
--- a/changelog.d/14027.misc
+++ b/changelog.d/14027.misc
@ -0,0 +1 @@
+Prototype a workflow to automatically add changelogs to dependabot PRs.
				`@ -0,0 +1 @@`
				`Prototype a workflow to automatically add changelogs to dependabot PRs.`