Overview

With cli/cli lint process erring if 3rd party license information is not updated in #11047, Dependabot PRs will require maintainers to manually run make licenses.

Recently, @williammartin opened #11269 with the script/fix-dependabot-licenses.sh script for maintainers to run that will find all Dependabot PRs and attempt to fix them where the lint workflow failed. This script is a manual repair effort, however it is possible to use a GitHub Actions workflow to run the make license script for Dependabot PRs:

name: Dependabot fetch metadata
on: pull_request

permissions:
  pull-requests: write
  issues: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      # The following properties are now available:
      #  - steps.metadata.outputs.dependency-names
      #  - steps.metadata.outputs.dependency-type
      #  - steps.metadata.outputs.update-type

This issue is aimed at implementing GitHub Actions workflow changes that will automatically update third-party license source code and third-party-*.md reports, eliminating the need for maintainers to manually repair Dependabot PRs.

curl -o fix-dependabot-licenses.sh https://raw.githubusercontent.com/cli/cli/26d70bfb7bcc0b41dbdd50bfc51f827f1a5ad4c4/script/fix-dependabot-licenses.sh

gh pr checkout https://github.com/cli/cli/pull/11269

Expected outcomes

• When Dependabot PRs are opened, automation attempts to regenerate and commit updated license information via make licenses
• When Dependabot PRs are updated, status checks pass without maintainer action outside of reviewing PR