diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..1edeb60 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,14 @@ +version: 2 + +updates: + - package-ecosystem: npm + directory: "/" + schedule: + interval: daily + # Only fontdue-js. Without this allow-list Dependabot would also start + # opening PRs for React Router, React and every other dependency in the tree. + allow: + - dependency-name: fontdue-js + # Bump the pin in place (3.0.5 -> 3.0.6) rather than widening it to a range. + versioning-strategy: increase + open-pull-requests-limit: 1 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..5706605 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,46 @@ +name: build + +on: + pull_request: + push: + branches: [main] + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + env: + # Public staging backend; nothing secret here. + VITE_FONTDUE_URL: https://example.fontdue.xyz + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 22 + cache: npm + - run: npm ci + - run: npm run build + + # Dependabot opens fontdue-js bumps (see .github/dependabot.yml). `needs: build` + # is what makes merging them unattended safe -- without it this would merge a + # release that doesn't compile against this framework. + automerge: + needs: build + if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - uses: dependabot/fetch-metadata@v2 + id: meta + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + # Major bumps land in a human's inbox: those are the ones that break templates. + - if: steps.meta.outputs.update-type != 'version-update:semver-major' + run: gh pr merge --squash --delete-branch "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}