diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 123014908..97dfb906f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,7 @@ updates: directory: "/" schedule: interval: "daily" + - package-ecosystem: "cargo" + directory: "/" + schedule: + interval: "daily" \ No newline at end of file diff --git a/.github/workflows/custom_dependabot.yml b/.github/workflows/custom_dependabot.yml deleted file mode 100644 index b820bd060..000000000 --- a/.github/workflows/custom_dependabot.yml +++ /dev/null @@ -1,88 +0,0 @@ -name: CustomDependabot - -# We cannot use the standard dependabot workflows to scan our rust components because -# only password or token auth are supported and since we tokens to authenticate to our -# Azure Devops hosted cargo feeds can only have a maximum lifetime of 7 days that is -# not feasible. - -# In order for the dependabot scripts at https://github.com/dependabot/dependabot-script -# We need to perform the following actions: -# - Update the cargo version in the image (see note below) to the current version -# to get support for private registry auth -# - Copy .cargo/config.toml from our repository into the $HOME/.cargo in the image -# because some build steps in our build.rs scripts need the registry indexes in the global config -# - Authenticate to our cargo feeds, read the token from $HOME/.cargo/credentials.toml, and pass -# that into the container image via CARGO_REGISTRIES__TOKEN env vars - -# Note: The dependabot-script repo uses an old version of the dependabot core image and -# has not been updated in a while -# (see https://github.com/dependabot/dependabot-script?tab=readme-ov-file#warning---scripts-are-currently-broken) -# and so we may be stuck on an old version of dependabot until this gets addressed. - -on: - workflow_dispatch: - schedule: - - cron: '0 0 * * 1' # Runs at 01:00 UTC every Monday - -permissions: - contents: read - id-token: write - -jobs: - dependabot: - permissions: - contents: write # for Git to git push - id-token: write - pull-requests: write # for repo-sync/pull-request to create pull requests - runs-on: [self-hosted, Linux, X64, "1ES.Pool=hld-kvm-amd"] - steps: - - - name: Checkout repo - uses: actions/checkout@v4 - - - uses: hyperlight-dev/ci-setup-workflow@v1.0.0 - with: - rust-toolchain: "1.81.0" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Build Debug - run: cargo build --verbose - - - name: install toml-cli - run: cargo install toml-cli - - - name: Checkout dependabot - run: | - cd /tmp/ - git clone https://github.com/dependabot/dependabot-script - - - name: Build image - run: | - pushd /tmp/dependabot-script - docker build -t "dependabot/dependabot-script" -f Dockerfile . - popd - # the dependabot-script image has a very old version of the rust toolchain and we need to update it - pushd ./hack - docker build -t "dependabot/dependabot-script-patched" -f rust-dependabot-patch.Dockerfile . - - - name: Run dependabot - env: - # Select your package manager - PACKAGE_MANAGER: cargo - # Options can turn on extra features (not required) - OPTIONS: | - { } - GITHUB_ACCESS_TOKEN: ${{ github.token }} - run: | - HYPERLIGHT_CARGO_TOKEN=$(toml get $HOME/.cargo/credentials.toml registries.hyperlight_packages.token | tr -d '"' ) - docker run -v $PWD:/src \ - -v $PWD/.cargo/config.toml:/home/dependabot/.cargo/config.toml \ - -e PROJECT_PATH=$GITHUB_REPOSITORY \ - -e PACKAGE_MANAGER=$PACKAGE_MANAGER \ - -e CARGO_REGISTRIES_HYPERLIGHT_PACKAGES_TOKEN="$HYPERLIGHT_CARGO_TOKEN" \ - -e DIRECTORY=/src \ - -e GITHUB_ACCESS_TOKEN=$GITHUB_ACCESS_TOKEN \ - -e OPTIONS="$OPTIONS" \ - dependabot/dependabot-script-patched -