From 3af9e50880e895e1e01fa505d0eff540f2ebb408 Mon Sep 17 00:00:00 2001 From: Tim Carr Date: Mon, 20 Apr 2026 10:43:13 +0800 Subject: [PATCH 1/3] Run Dependabot on Composer Packages --- .github/dependabot.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 410f5b7bc..ec04f41cf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,8 +1,15 @@ -# Configures Dependabot to update packages used in GitHub Actions +# Configures Dependabot to update packages used in GitHub Actions and Composer # https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/keeping-your-actions-up-to-date-with-dependabot version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" \ No newline at end of file + interval: "weekly" + + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "daily" + allow: + - dependency-type: "production" \ No newline at end of file From 64e134485e5348e0746ce51bc86acdd359f6d30c Mon Sep 17 00:00:00 2001 From: Tim Carr Date: Mon, 20 Apr 2026 10:56:00 +0800 Subject: [PATCH 2/3] Set `versioning-strategy` so `composer.json` is updated This ensures the Kit WordPress Libraries version number is specific and updated - for example, 2.1.5 is the current and 2.1.6 is published. Dependabot will then submit a PR to update composer.json to 2.1.6. --- .github/dependabot.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ec04f41cf..335760f0a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,4 +12,5 @@ updates: schedule: interval: "daily" allow: - - dependency-type: "production" \ No newline at end of file + - dependency-type: "production" + versioning-strategy: "increase" \ No newline at end of file From fcc612548c2e712e7c1189d204ea7916e39d6df5 Mon Sep 17 00:00:00 2001 From: Tim Carr Date: Mon, 20 Apr 2026 10:56:20 +0800 Subject: [PATCH 3/3] Run GitHub Action Tests if Dependabot changes composer.json --- .github/workflows/coding-standards.yml | 40 ++++++++++++++-- .github/workflows/tests-backward-compat.yml | 38 +++++++++++++-- .github/workflows/tests.yml | 53 +++++++++++++++++---- 3 files changed, 113 insertions(+), 18 deletions(-) diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index 7e25bfa73..362045e72 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -11,6 +11,29 @@ on: - main jobs: + dependabot-metadata: + # Name. + name: Dependabot Metadata + + # Virtual Environment to use. + # @see: https://github.com/actions/virtual-environments + runs-on: ubuntu-latest + + # Don't run if the PR is not from Dependabot. + if: github.actor == 'dependabot[bot]' + + # Outputs. + outputs: + package-ecosystem: ${{ steps.metadata.outputs.package-ecosystem }} + + # Steps to fetch Dependabot metadata. + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + tests: # Name. name: Coding Standards / WordPress ${{ matrix.wp-versions }} / PHP ${{ matrix.php-versions }} @@ -18,11 +41,18 @@ jobs: # Virtual Environment to use. # @see: https://github.com/actions/virtual-environments runs-on: ubuntu-latest - - # Don't run if the PR is from Dependabot, as it doesn't have access to the repository's secrets. - # Dependabot also only checks for GitHub action dependencies, so it's not necessary to run - # Plugin tests. - if: github.actor != 'dependabot[bot]' + + # Requieres the dependabot-metadata job to have run successfully. + needs: [dependabot-metadata] + + # Always allow non-Dependabot PRs and pushes. + # For Dependabot PRs, only run when the update is for composer (skip github-actions updates). + if: | + always() && + ( + github.actor != 'dependabot[bot]' || + needs.dependabot-metadata.outputs.package-ecosystem == 'composer' + ) # Environment Variables. # Accessible by using ${{ env.NAME }} diff --git a/.github/workflows/tests-backward-compat.yml b/.github/workflows/tests-backward-compat.yml index 99b7e593a..ba9e2a9af 100644 --- a/.github/workflows/tests-backward-compat.yml +++ b/.github/workflows/tests-backward-compat.yml @@ -11,6 +11,29 @@ on: - main jobs: + dependabot-metadata: + # Name. + name: Dependabot Metadata + + # Virtual Environment to use. + # @see: https://github.com/actions/virtual-environments + runs-on: ubuntu-latest + + # Don't run if the PR is not from Dependabot. + if: github.actor == 'dependabot[bot]' + + # Outputs. + outputs: + package-ecosystem: ${{ steps.metadata.outputs.package-ecosystem }} + + # Steps to fetch Dependabot metadata. + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + tests: # Name. name: ${{ matrix.test-groups }} / WordPress ${{ matrix.wp-versions }} / PHP ${{ matrix.php-versions }} @@ -19,10 +42,17 @@ jobs: # @see: https://github.com/actions/virtual-environments runs-on: ubuntu-latest - # Don't run if the PR is from Dependabot, as it doesn't have access to the repository's secrets. - # Dependabot also only checks for GitHub action dependencies, so it's not necessary to run - # Plugin tests. - if: github.actor != 'dependabot[bot]' + # Requieres the dependabot-metadata job to have run successfully. + needs: [dependabot-metadata] + + # Always allow non-Dependabot PRs and pushes. + # For Dependabot PRs, only run when the update is for composer (skip github-actions updates). + if: | + always() && + ( + github.actor != 'dependabot[bot]' || + needs.dependabot-metadata.outputs.package-ecosystem == 'composer' + ) # Environment Variables. # Accessible by using ${{ env.NAME }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1cac107e7..86aa579eb 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -11,6 +11,29 @@ on: - main jobs: + dependabot-metadata: + # Name. + name: Dependabot Metadata + + # Virtual Environment to use. + # @see: https://github.com/actions/virtual-environments + runs-on: ubuntu-latest + + # Don't run if the PR is not from Dependabot. + if: github.actor == 'dependabot[bot]' + + # Outputs. + outputs: + package-ecosystem: ${{ steps.metadata.outputs.package-ecosystem }} + + # Steps to fetch Dependabot metadata. + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + tests: # Name. name: ${{ matrix.test-groups }} / WordPress ${{ matrix.wp-versions }} / PHP ${{ matrix.php-versions }} @@ -19,10 +42,17 @@ jobs: # @see: https://github.com/actions/virtual-environments runs-on: ubuntu-latest - # Don't run if the PR is from Dependabot, as it doesn't have access to the repository's secrets. - # Dependabot also only checks for GitHub action dependencies, so it's not necessary to run - # Plugin tests. - if: github.actor != 'dependabot[bot]' + # Requieres the dependabot-metadata job to have run successfully. + needs: [dependabot-metadata] + + # Always allow non-Dependabot PRs and pushes. + # For Dependabot PRs, only run when the update is for composer (skip github-actions updates). + if: | + always() && + ( + github.actor != 'dependabot[bot]' || + needs.dependabot-metadata.outputs.package-ecosystem == 'composer' + ) # Environment Variables. # Accessible by using ${{ env.NAME }} @@ -396,11 +426,16 @@ jobs: build-and-deploy: name: WordPress Playground - # Require the tests workflow to have run successfully. - needs: tests - - # Only run on pull requests, not when merging to main branch - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' + # Require the dependabot-metadata and tests workflows to have run successfully. + needs: [dependabot-metadata, tests] + if: | + always() && + github.event_name == 'pull_request' && + needs.tests.result == 'success' && + ( + github.actor != 'dependabot[bot]' || + needs.dependabot-metadata.outputs.package-ecosystem == 'composer' + ) # Virtual Environment to use. # @see: https://github.com/actions/virtual-environments