Add workflow to rebuild dist/ on Dependabot PRs#118
Add workflow to rebuild dist/ on Dependabot PRs#118gorkem wants to merge 1 commit intokitops-ml:mainfrom
Conversation
Dependabot doesn't rebuild the checked-in dist/ after updating dependencies, causing the check-dist CI job to fail. This workflow auto-rebuilds and pushes using a GitHub App token. Signed-off-by: Gorkem Ercan <gorkem.ercan@gmail.com>
gorkem
force-pushed
the
dependabot-rebuild-dist
branch
from
971bd4c to
7f1b883
Compare
There was a problem hiding this comment.
Pull request overview
Adds automation to keep the checked-in dist/ output in sync on Dependabot PRs so the existing “Check Transpiled JavaScript” CI job doesn’t fail due to stale bundled artifacts.
Changes:
- Introduces a new workflow that runs on Dependabot PRs targeting
main. - Uses a GitHub App token to rebuild
dist/and push the updated artifacts back to the PR branch.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
|
|
There was a problem hiding this comment.
This workflow is triggered on pull_request, but it relies on secrets.KITOPS_BOT_PRIVATE_KEY to mint a GitHub App token. For Dependabot PRs, repository secrets are typically not provided to pull_request-triggered workflows, so the token generation step will fail and the workflow won’t be able to push dist/. Switch the trigger to pull_request_target (still gated to Dependabot) so secrets are available, and ensure the checkout explicitly targets the PR head (e.g., PR head SHA/ref) before building/pushing.
amisevsk
left a comment
amisevsk
left a comment
There was a problem hiding this comment.
Copilot's comment is worth following up on, I'm not sure how secret propagation works.
I'm a little concerned about pulling in secrets on PR workflows, as a PR could potentially lead to leaking the token.
| jobs: | ||
| rebuild-dist: | ||
| name: Rebuild dist/ | ||
| if: github.actor == 'dependabot[bot]' |
There was a problem hiding this comment.
Are we sure this check is enough to stop this workflow running when a regular use pushes? I would worry about incidentally exposing the secret token.
|
I am closing this since the secret management is not making this a good solution |
What changed
Adds a new GitHub Actions workflow (
dependabot-rebuild-dist.yml) that automatically rebuilds the checked-indist/directory when Dependabot opens a PR.Why
Dependabot updates
package.json/package-lock.jsonbut doesn't runnpm run bundle, so thecheck-distCI job always fails on Dependabot PRs. This workflow detects Dependabot PRs, rebuildsdist/, and pushes the result back to the PR branch.Uses the existing KitOps bot GitHub App token so the push triggers subsequent CI workflow runs.
Validation
check-dist.yml)github.actor == 'dependabot[bot]'only — no effect on human PRs