feat: add dependabot auto merge (#1473)

* feat: add dependabot auto merge & grouping

Adds grouping for Dependabot PRs, meaning we no longer need to manually group PRs that fail tests due to incompatible groups.

Adds auto-merge of Dependabot PRs when they pass all tests.

* roll back dependabot label changes

* use secrets.GITHUB_TOKEN for automated PRs from Dependabot

* Automerge Dependabot PRS, use REPLICATED_GH_PAT for secret

* amend and simplify auto-dependabot job

* simplify PR jobs

* remove CODEOWNER ownership for go.mod

* Update .github/workflows/automated-prs-manager.yaml

Co-authored-by: Salah Al Saleh <sg.alsaleh@gmail.com>

---------

Co-authored-by: Salah Al Saleh <sg.alsaleh@gmail.com>

.github/CODEOWNERS

@@ -14,4 +14,8 @@
 ## RULES 
 
 * @replicatedhq/troubleshoot
-*.md @replicatedhq/cre
+*.md @replicatedhq/cre
+go.mod
+go.sum
+/examples/sdk/helm-template/go.mod
+/examples/sdk/helm-template/go.sum

.github/workflows/automated-prs-manager.yaml

@@ -0,0 +1,96 @@
+name: Automated PRs Manager
+
+on:
+  schedule:
+  - cron: "0 */6 * * *" # every 6 hours
+  workflow_dispatch: {}
+
+jobs:
+  list-prs:
+    runs-on: ubuntu-latest
+    outputs:
+      prs: ${{ steps.list-prs.outputs.prs }}
+    env:
+      GH_TOKEN: ${{ secrets.REPLICATED_GH_PAT }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: List PRs
+        id: list-prs
+        run: |
+          set -euo pipefail
+
+          # list prs that are less than 24h old and exclude prs from forks
+
+          prs=$(
+            gh pr list \
+              --author 'dependabot[bot]' \
+              --json url,createdAt,headRefName,headRepository,headRepositoryOwner \
+              -q '.[] | select((.createdAt | fromdateiso8601 > now - 24*60*60) and .headRepositoryOwner.login == "replicatedhq" and .headRepository.name == "troubleshoot")'
+          )
+
+          echo "prs=$prs" >> "$GITHUB_OUTPUT"
+
+  process-prs:
+    needs: list-prs
+    runs-on: ubuntu-latest
+    if: needs.list-prs.outputs.prs != '[]'
+    strategy:
+      matrix:
+        pr: ${{ fromJson(needs.list-prs.outputs.prs) }}
+      fail-fast: false
+      max-parallel: 1
+    env:
+      GH_TOKEN: ${{ secrets.REPLICATED_GH_PAT }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ matrix.pr.headRefName }}
+
+      - name: Process PR
+        run: |
+          set -euo pipefail
+
+          echo "Ensuring required labels..."
+          gh pr edit "${{ matrix.pr.url }}" --add-label "type::security"
+
+          echo "Checking status of tests..."
+          run_id=$(gh run list --branch "${{ matrix.pr.headRefName }}" --workflow build-test --limit 1 --json databaseId -q '.[0].databaseId')
+
+          # If there are still pending jobs, skip.
+
+          num_of_pending_jobs=$(gh run view "$run_id" --json jobs -q '.jobs[] | select(.conclusion == "") | .name' | wc -l)
+          if [ "$num_of_pending_jobs" -gt 0 ]; then
+            echo "There are still pending jobs. Skipping."
+            exit 0
+          fi
+
+          # If all checks passed, approve and merge.
+          if gh run view "$run_id" --json jobs -q '.jobs[] | select(.name == "validate-success") | .conclusion' | grep -q "success"; then
+            if gh pr checks "${{ matrix.pr.url }}" ; then
+              echo "All tests passed. Approving and merging."
+              echo -e "LGTM :thumbsup: \n\nThis PR was automatically approved and merged by the [automated-prs-manager](https://github.com/replicatedhq/troubleshoot/blob/main/.github/workflows/automated-prs-manager.yaml) GitHub action" > body.txt
+              gh pr review --approve "${{ matrix.pr.url }}" --body-file body.txt
+              gh pr merge --auto --squash "${{ matrix.pr.url }}"
+              sleep 10
+              exit 0
+            else
+              echo "Some checks did not pass. Skipping."
+              exit 0
+            fi
+          fi
+
+          # If more than half of the jobs are successful, re-run the failed jobs.
+
+          num_of_jobs=$(gh run view "$run_id" --json jobs -q '.jobs[].name ' | wc -l)
+          num_of_successful_jobs=$(gh run view "$run_id" --json jobs -q '.jobs[] | select (.conclusion == "success")) |.name ' | wc -l)
+
+          if [ "$num_of_successful_jobs" -gt $((num_of_jobs / 2)) ]; then
+            echo "More than half of the jobs are successful. Re-running failed jobs."
+            gh run rerun "$run_id" --failed
+            exit 0
+          fi
+
+          echo "Less than half of the jobs are successful. Skipping."

.github/workflows/build-test-deploy.yaml

@@ -348,3 +348,40 @@ jobs:
         uses: rajatjindal/krew-release-bot@v0.0.46
         with:
           krew_template_file: deploy/krew/support-bundle.yaml
+
+
+# summary jobs, these jobs will only run if all the other jobs have succeeded
+  validate-pr-tests:
+    runs-on: ubuntu-latest
+    needs:
+      - test
+      - test-integration
+      - run-examples
+      - compile-collect
+      - validate-preflight
+      - validate-preflight-e2e
+      - validate-supportbundle
+      - validate-supportbundle-e2e
+      - validate-supportbundle-e2e-go-test
+      - ensure-schemas-are-generated
+    steps:
+      - run: echo "All PR tests passed"
+
+
+  # this job will validate that the validation did not fail and that all pr-tests succeed
+  # it is used for the github branch protection rule
+  validate-success:
+    runs-on: ubuntu-latest
+    needs:
+      - validate-pr-tests
+    if: always()
+    steps:
+      # https://docs.github.com/en/actions/learn-github-actions/contexts#needs-context
+      # if the validate-pr-tests job was not successful, this job will fail
+      - name: fail if validate-pr-tests job was not successful
+        if: needs.validate-pr-tests.result != 'success'
+        run: exit 1
+      # if the validate-pr-tests job was successful, this job will succeed
+      - name: succeed if validate-pr-tests job succeeded
+        if: needs.validate-pr-tests.result == 'success'
+        run: echo "Validation succeeded"