From efc0ecbf2f2c037739e36ce9b74ce32f0873ca11 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 24 Mar 2026 15:25:26 +0000 Subject: [PATCH 1/4] Initial plan From 6b5ef2e181428bcf19a44bcce587e9002cb19d7f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 24 Mar 2026 15:36:26 +0000 Subject: [PATCH 2/4] Add labeler-dependabot.yml to auto-label Dependabot PRs by type Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> Agent-Logs-Url: https://github.com/advanced-security/reusable-workflows/sessions/7ba7ce0f-aeb4-4230-9150-936e39e1fe67 --- .github/workflows/labeler-dependabot.yml | 69 ++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 .github/workflows/labeler-dependabot.yml diff --git a/.github/workflows/labeler-dependabot.yml b/.github/workflows/labeler-dependabot.yml new file mode 100644 index 0000000..30d0a05 --- /dev/null +++ b/.github/workflows/labeler-dependabot.yml @@ -0,0 +1,69 @@ +name: Labeler - Dependabot + +on: + pull_request: + types: + - opened + - synchronize + - reopened + +# Permissions needed to label PRs and create/update labels. +# security-events: read is required for dependabot/fetch-metadata alert-lookup. +permissions: + contents: read + pull-requests: write + issues: write + security-events: read + +jobs: + label-dependabot: + runs-on: ubuntu-latest + # Only run for Dependabot-authored pull requests + if: github.event.pull_request.user.login == 'dependabot[bot]' + steps: + # Fetch metadata about the dependencies being updated. + # alert-lookup: true populates ghsa-id / alert-state for security update PRs. + # Note: if GITHUB_TOKEN does not have sufficient Dependabot alert access (e.g. + # private repos or restricted org settings) you can replace secrets.GITHUB_TOKEN + # with a fine-grained PAT that has the `security_events` read permission. + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + alert-lookup: true + + # Ensure the custom labels exist before applying them. + # `gh label create --force` is a no-op when the label already exists, + # so this step is safe to run on every PR and handles the case where + # the labels have not yet been created in the repository. + - name: Ensure labels exist + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh label create "dependabot-security-update" \ + --color "e11d48" \ + --description "Dependabot security update" \ + --repo "${{ github.repository }}" \ + --force + gh label create "dependabot-version-update" \ + --color "0075ca" \ + --description "Dependabot version update" \ + --repo "${{ github.repository }}" \ + --force + + # Apply the security-update label when fetch-metadata identifies a GHSA. + - name: Label as security update + if: steps.metadata.outputs.ghsa-id != '' + run: gh pr edit "$PR_URL" --add-label "dependabot-security-update" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Apply the version-update label when no GHSA is associated with the PR. + - name: Label as version update + if: steps.metadata.outputs.ghsa-id == '' + run: gh pr edit "$PR_URL" --add-label "dependabot-version-update" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From f71a111ddf923795306623ba425cdd173ee29297 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 24 Mar 2026 16:48:42 +0000 Subject: [PATCH 3/4] Fix security vs version detection: use PR body text instead of ghsa-id Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> Agent-Logs-Url: https://github.com/advanced-security/reusable-workflows/sessions/83d35be1-c195-43a7-9da0-17c5c3838521 --- .github/workflows/labeler-dependabot.yml | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/.github/workflows/labeler-dependabot.yml b/.github/workflows/labeler-dependabot.yml index 30d0a05..7fd6366 100644 --- a/.github/workflows/labeler-dependabot.yml +++ b/.github/workflows/labeler-dependabot.yml @@ -8,12 +8,10 @@ on: - reopened # Permissions needed to label PRs and create/update labels. -# security-events: read is required for dependabot/fetch-metadata alert-lookup. permissions: contents: read pull-requests: write issues: write - security-events: read jobs: label-dependabot: @@ -21,17 +19,15 @@ jobs: # Only run for Dependabot-authored pull requests if: github.event.pull_request.user.login == 'dependabot[bot]' steps: - # Fetch metadata about the dependencies being updated. - # alert-lookup: true populates ghsa-id / alert-state for security update PRs. - # Note: if GITHUB_TOKEN does not have sufficient Dependabot alert access (e.g. - # private repos or restricted org settings) you can replace secrets.GITHUB_TOKEN - # with a fine-grained PAT that has the `security_events` read permission. + # Fetch metadata about the dependencies being updated (names, type, semver update-type, etc.). + # Note: alert-lookup is intentionally omitted — it requires a fine-grained PAT and + # does not work with GITHUB_TOKEN, so ghsa-id is always empty when using the standard token. + # Security vs. version update detection is handled via PR body text instead (see below). - name: Fetch Dependabot metadata id: metadata uses: dependabot/fetch-metadata@v2 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - alert-lookup: true # Ensure the custom labels exist before applying them. # `gh label create --force` is a no-op when the label already exists, @@ -52,17 +48,17 @@ jobs: --repo "${{ github.repository }}" \ --force - # Apply the security-update label when fetch-metadata identifies a GHSA. + # Dependabot security update PRs always contain this phrase in their body. + # Version update PRs never contain this phrase. - name: Label as security update - if: steps.metadata.outputs.ghsa-id != '' + if: contains(github.event.pull_request.body, 'You can disable automated security fix PRs') run: gh pr edit "$PR_URL" --add-label "dependabot-security-update" env: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Apply the version-update label when no GHSA is associated with the PR. - name: Label as version update - if: steps.metadata.outputs.ghsa-id == '' + if: "!contains(github.event.pull_request.body, 'You can disable automated security fix PRs')" run: gh pr edit "$PR_URL" --add-label "dependabot-version-update" env: PR_URL: ${{ github.event.pull_request.html_url }} From 90f9e3e81141a4bd233aeafebd7b0efded29dc78 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 24 Mar 2026 18:44:02 +0000 Subject: [PATCH 4/4] Adopt github-script paradigm: short-circuit, ENSURE_LABELS_EXIST toggle, dual-signal detection Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> Agent-Logs-Url: https://github.com/advanced-security/reusable-workflows/sessions/8c837435-8f96-4ab1-b719-665956287a5b --- .github/workflows/labeler-dependabot.yml | 97 ++++++++++++------------ 1 file changed, 49 insertions(+), 48 deletions(-) diff --git a/.github/workflows/labeler-dependabot.yml b/.github/workflows/labeler-dependabot.yml index 7fd6366..ab324c9 100644 --- a/.github/workflows/labeler-dependabot.yml +++ b/.github/workflows/labeler-dependabot.yml @@ -2,64 +2,65 @@ name: Labeler - Dependabot on: pull_request: - types: - - opened - - synchronize - - reopened -# Permissions needed to label PRs and create/update labels. permissions: contents: read pull-requests: write - issues: write + +env: + ENSURE_LABELS_EXIST: 'true' # Set to 'false' to skip label creation jobs: label-dependabot: runs-on: ubuntu-latest - # Only run for Dependabot-authored pull requests - if: github.event.pull_request.user.login == 'dependabot[bot]' + # Only run for Dependabot PRs that have not already been labeled + if: >- + github.actor == 'dependabot[bot]' && + !contains(github.event.pull_request.labels.*.name, 'dependabot-security-update') && + !contains(github.event.pull_request.labels.*.name, 'dependabot-version-update') steps: - # Fetch metadata about the dependencies being updated (names, type, semver update-type, etc.). - # Note: alert-lookup is intentionally omitted — it requires a fine-grained PAT and - # does not work with GITHUB_TOKEN, so ghsa-id is always empty when using the standard token. - # Security vs. version update detection is handled via PR body text instead (see below). - - name: Fetch Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@v2 - with: - github-token: "${{ secrets.GITHUB_TOKEN }}" - # Ensure the custom labels exist before applying them. - # `gh label create --force` is a no-op when the label already exists, - # so this step is safe to run on every PR and handles the case where - # the labels have not yet been created in the repository. + # Skipped when ENSURE_LABELS_EXIST is 'false' (e.g. labels are managed centrally). - name: Ensure labels exist - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh label create "dependabot-security-update" \ - --color "e11d48" \ - --description "Dependabot security update" \ - --repo "${{ github.repository }}" \ - --force - gh label create "dependabot-version-update" \ - --color "0075ca" \ - --description "Dependabot version update" \ - --repo "${{ github.repository }}" \ - --force + if: env.ENSURE_LABELS_EXIST == 'true' + uses: actions/github-script@v7 + with: + script: | + const labels = ['dependabot-security-update', 'dependabot-version-update']; + const existing = await github.rest.issues.listLabelsForRepo({ + owner: context.repo.owner, + repo: context.repo.repo, + per_page: 100 + }); + const existingNames = existing.data.map(l => l.name); + + for (const label of labels) { + if (!existingNames.includes(label)) { + await github.rest.issues.createLabel({ + owner: context.repo.owner, + repo: context.repo.repo, + name: label + }); + core.info(`Created label: ${label}`); + } + } + + # Dependabot security update PRs are identified by two phrases in their body. + # Version update PRs never contain either phrase. + - name: Detect update type and apply label + uses: actions/github-script@v7 + with: + script: | + const prBody = context.payload.pull_request.body || ''; + const isSecurityUpdate = prBody.includes('[Security Alerts page]') || + prBody.includes('You can disable automated security fix PRs'); - # Dependabot security update PRs always contain this phrase in their body. - # Version update PRs never contain this phrase. - - name: Label as security update - if: contains(github.event.pull_request.body, 'You can disable automated security fix PRs') - run: gh pr edit "$PR_URL" --add-label "dependabot-security-update" - env: - PR_URL: ${{ github.event.pull_request.html_url }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + const label = isSecurityUpdate ? 'dependabot-security-update' : 'dependabot-version-update'; + core.info(`PR #${context.payload.pull_request.number} is ${isSecurityUpdate ? '' : 'not '}a security update — adding label: ${label}`); - - name: Label as version update - if: "!contains(github.event.pull_request.body, 'You can disable automated security fix PRs')" - run: gh pr edit "$PR_URL" --add-label "dependabot-version-update" - env: - PR_URL: ${{ github.event.pull_request.html_url }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + await github.rest.issues.addLabels({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + labels: [label] + });