Skip to content

Enable dependabot updates to conda environment.yml file #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Enable dependabot updates to conda environment.yml file #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0112923
Enable dependabot updates to conda environment.yml file
weiji14 Sep 12, 2025
c330cfe
Add GitHub Actions workflow to comment on dependabot PRs
weiji14 Sep 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,18 @@
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference

version: 2
enable-beta-ecosystems: true
updates:
- package-ecosystem: "conda"
directory: "/"
schedule:
interval: "monthly"
cooldown:
default-days: 7
open-pull-requests-limit: 2

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "quarterly"
# Allow up to 2 open pull requests at a time
open-pull-requests-limit: 2
1 change: 1 addition & 0 deletions .github/workflows/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
- binder.yaml - Adds a Binder badge to Pull Requests that are newly opened
- build.yaml - Build and push docker container images to a docker registry
- conda-lock-command.yml - Refresh conda-lock files by writing `/condalock` in a Pull Request comment
- pr_comment.yml - Respond to dependabot Pull Request updating environment.yml with `/condalock` command
- retag.yml - Republish docker images originally tagged with a short hash using a new CalVer string
- slash-command-dispatch.yml - ChatOps that looks for slash commands in Pull Requests to trigger automated scripts
- test.yaml - Test building docker container images in a Pull Request
28 changes: 28 additions & 0 deletions .github/workflows/pr_comment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Respond to dependabot Pull Request updating environment.yml with /condalock command!
name: Pull Request comment

on:
pull_request:
types: [opened, reopened]
paths: ["environment.yml"]

permissions: {}

jobs:
DeployPangeoBot:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
Copy link
Member Author

@weiji14 weiji14 Sep 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

workflow which adds a comment to a PR if: github.actor == 'dependabot[bot]'?

Using a more secure variant here based on https://docs.zizmor.sh/audits/#bot-conditions that should help to avoid https://www.synacktiv.com/publications/github-actions-exploitation-dependabot


steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false

- name: Add Condalock Comment
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
issue-number: ${{github.event.number}}
body: |
/condalock
Automatically locking new conda environment, building, and testing images...