Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 22 additions & 14 deletions .github/workflows/dependabot-auto-merge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ on:

permissions: 'read-all'

env:
# Lockfiles that have no `directory:` entry in `.github/dependabot.yml`
# because upstream packages keep raising their minimum Python. Dependabot
# security updates ignore that allowlist, so a bump can still show up here.
FROZEN_LOCKFILES: '["/lockfiles/py39", "/lockfiles/py310"]'

jobs:
auto-merge:
runs-on: 'ubuntu-latest'
Expand All @@ -17,27 +23,29 @@ jobs:
- uses: 'dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98' # v3.1.0
id: 'meta'

# Block bumps against the py39 lockfile. Python 3.9 has been
# dropped by most upstream packages over 2025/2026, and
# Dependabot does not honour `Requires-Python` when proposing
# versions. Dependabot security updates also ignore the
# `directory:` allowlist in `.github/dependabot.yml`, so the
# freeze has to be enforced here. The py39 lockfile is
# maintained manually via `pip-compile` on a Python 3.9 host.
- if: "startsWith(steps.meta.outputs.directory, '/lockfiles/py39')"
# A bump against a frozen lockfile is left open for a human. Dependabot
# does not honour `Requires-Python`, so it may propose a version that
# drops the interpreter the lockfile exists for (py39 -> RHEL 8, RHEL 9,
# Debian 11; py310 -> Ubuntu 22.04). It may equally propose a security
# fix that still supports it. Only a human can tell the two apart, so
# the PR is neither merged nor closed. Regenerate the lockfile with
# `pip-compile` on a matching Python host once the bump is accepted.
- if: >-
contains(fromJSON(env.FROZEN_LOCKFILES), steps.meta.outputs.directory)
&& github.event.action == 'opened'
run: |
gh pr close "$PR_URL" \
--comment 'Auto-closed: `lockfiles/py39` is frozen because Python 3.9 is dropped by most upstream packages. Lockfile is maintained manually via pip-compile when an actual fix lands that still supports 3.9.' \
--delete-branch
gh pr comment "$PR_URL" --body "Not auto-merged: \`${DIRECTORY}\` is frozen because Dependabot does not honour \`Requires-Python\`. Check whether \`${DEPENDENCY}\` still supports that lockfile's interpreter. If it does, regenerate the lockfile with \`pip-compile\` on a matching Python host. Either way, close this PR afterwards."
env:
PR_URL: '${{ github.event.pull_request.html_url }}'
DEPENDENCY: '${{ steps.meta.outputs.dependency-names }}'
DIRECTORY: '${{ steps.meta.outputs.directory }}'
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
PR_URL: '${{ github.event.pull_request.html_url }}'

- if: >-
!startsWith(steps.meta.outputs.directory, '/lockfiles/py39')
!contains(fromJSON(env.FROZEN_LOCKFILES), steps.meta.outputs.directory)
&& (steps.meta.outputs.update-type == 'version-update:semver-patch'
|| steps.meta.outputs.update-type == 'version-update:semver-minor')
run: 'gh pr merge --auto --squash "$PR_URL"'
env:
PR_URL: '${{ github.event.pull_request.html_url }}'
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
PR_URL: '${{ github.event.pull_request.html_url }}'
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ Monitoring Plugins:

Build, CI/CD:

* Bump pinned `linuxfabrik-lib` to 5.1.0
* Bump pinned `linuxfabrik-lib` to 6.0.0

Monitoring Plugins:

Expand Down Expand Up @@ -76,6 +76,7 @@ Monitoring Plugins:
Build, CI/CD:

* installer: the source install no longer makes the monitoring user own the plugins, the bundled library and the dependency venv; they stay owned by root, closing a local root code-execution path (the monitoring user could otherwise edit a plugin or library that runs as root via sudo)
* requirements: the py39 lockfile (RHEL 8, RHEL 9, Debian 11) bundles a `soupsieve` that is not vulnerable to two denial-of-service issues in its CSS selector parser

Monitoring Plugins:

Expand Down
12 changes: 6 additions & 6 deletions lockfiles/py310/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -347,9 +347,9 @@ keystoneauth1==5.14.0 \
# via
# python-keystoneclient
# python-novaclient
linuxfabrik-lib==5.1.0 \
--hash=sha256:163f97ba1fd33edcbcc4493d4c1dc4abbd36c6bf847bd111cfee0ab3bce6c9f5 \
--hash=sha256:1f675c9564b5cea0696b1b7a80b502853852507b867c4db579fe97e9054b2296
linuxfabrik-lib==6.0.0 \
--hash=sha256:11fc6fa367e79f2bf5a4dad19989fdebf7fc241438474b88de0037d525ac168e \
--hash=sha256:33fa394bce2a2fb40ff6ac01e411d913adccbacc2e7913c7fe808380613cf56f
# via -r requirements.in
lxml==6.1.1 \
--hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
Expand Down Expand Up @@ -918,7 +918,7 @@ xmltodict==1.0.4 \
# pywinrm

# The following packages are considered to be unsafe in a requirements file:
setuptools==82.0.1 \
--hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
--hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
setuptools==83.0.0 \
--hash=sha256:025bccbbf0fa05b6192bc64ae1e7b16e001fd6d6d4d5de03c97b1c1ade523bef \
--hash=sha256:29b23c360f22f414dc7336bb39178cc7bcbf6021ed2733cde173f09dba19abb3
# via pbr
6 changes: 3 additions & 3 deletions lockfiles/py311/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -320,9 +320,9 @@ keystoneauth1==5.15.0 \
# via
# python-keystoneclient
# python-novaclient
linuxfabrik-lib==5.1.0 \
--hash=sha256:163f97ba1fd33edcbcc4493d4c1dc4abbd36c6bf847bd111cfee0ab3bce6c9f5 \
--hash=sha256:1f675c9564b5cea0696b1b7a80b502853852507b867c4db579fe97e9054b2296
linuxfabrik-lib==6.0.0 \
--hash=sha256:11fc6fa367e79f2bf5a4dad19989fdebf7fc241438474b88de0037d525ac168e \
--hash=sha256:33fa394bce2a2fb40ff6ac01e411d913adccbacc2e7913c7fe808380613cf56f
# via -r requirements.in
lxml==6.1.1 \
--hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
Expand Down
12 changes: 6 additions & 6 deletions lockfiles/py312/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -320,9 +320,9 @@ keystoneauth1==5.15.0 \
# via
# python-keystoneclient
# python-novaclient
linuxfabrik-lib==5.1.0 \
--hash=sha256:163f97ba1fd33edcbcc4493d4c1dc4abbd36c6bf847bd111cfee0ab3bce6c9f5 \
--hash=sha256:1f675c9564b5cea0696b1b7a80b502853852507b867c4db579fe97e9054b2296
linuxfabrik-lib==6.0.0 \
--hash=sha256:11fc6fa367e79f2bf5a4dad19989fdebf7fc241438474b88de0037d525ac168e \
--hash=sha256:33fa394bce2a2fb40ff6ac01e411d913adccbacc2e7913c7fe808380613cf56f
# via -r requirements.in
lxml==6.1.1 \
--hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
Expand Down Expand Up @@ -889,7 +889,7 @@ xmltodict==1.0.4 \
# pywinrm

# The following packages are considered to be unsafe in a requirements file:
setuptools==82.0.1 \
--hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
--hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
setuptools==83.0.0 \
--hash=sha256:025bccbbf0fa05b6192bc64ae1e7b16e001fd6d6d4d5de03c97b1c1ade523bef \
--hash=sha256:29b23c360f22f414dc7336bb39178cc7bcbf6021ed2733cde173f09dba19abb3
# via pbr
6 changes: 3 additions & 3 deletions lockfiles/py313-windows/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -299,9 +299,9 @@ idna==3.18 \
# anyio
# httpx
# requests
linuxfabrik-lib==5.1.0 \
--hash=sha256:163f97ba1fd33edcbcc4493d4c1dc4abbd36c6bf847bd111cfee0ab3bce6c9f5 \
--hash=sha256:1f675c9564b5cea0696b1b7a80b502853852507b867c4db579fe97e9054b2296
linuxfabrik-lib==6.0.0 \
--hash=sha256:11fc6fa367e79f2bf5a4dad19989fdebf7fc241438474b88de0037d525ac168e \
--hash=sha256:33fa394bce2a2fb40ff6ac01e411d913adccbacc2e7913c7fe808380613cf56f
# via -r requirements-py313-windows.in
lxml==6.1.1 \
--hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
Expand Down
6 changes: 3 additions & 3 deletions lockfiles/py313/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -322,9 +322,9 @@ keystoneauth1==5.14.0 \
# via
# python-keystoneclient
# python-novaclient
linuxfabrik-lib==5.1.0 \
--hash=sha256:163f97ba1fd33edcbcc4493d4c1dc4abbd36c6bf847bd111cfee0ab3bce6c9f5 \
--hash=sha256:1f675c9564b5cea0696b1b7a80b502853852507b867c4db579fe97e9054b2296
linuxfabrik-lib==6.0.0 \
--hash=sha256:11fc6fa367e79f2bf5a4dad19989fdebf7fc241438474b88de0037d525ac168e \
--hash=sha256:33fa394bce2a2fb40ff6ac01e411d913adccbacc2e7913c7fe808380613cf56f
# via -r requirements.in
lxml==6.1.1 \
--hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
Expand Down
6 changes: 3 additions & 3 deletions lockfiles/py314/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -322,9 +322,9 @@ keystoneauth1==5.15.0 \
# via
# python-keystoneclient
# python-novaclient
linuxfabrik-lib==5.1.0 \
--hash=sha256:163f97ba1fd33edcbcc4493d4c1dc4abbd36c6bf847bd111cfee0ab3bce6c9f5 \
--hash=sha256:1f675c9564b5cea0696b1b7a80b502853852507b867c4db579fe97e9054b2296
linuxfabrik-lib==6.0.0 \
--hash=sha256:11fc6fa367e79f2bf5a4dad19989fdebf7fc241438474b88de0037d525ac168e \
--hash=sha256:33fa394bce2a2fb40ff6ac01e411d913adccbacc2e7913c7fe808380613cf56f
# via -r requirements.in
lxml==6.1.1 \
--hash=sha256:05a82eb6e1530a64f26225b55cbd178113bd0b5af1c2b625f25e5296742c26d2 \
Expand Down
12 changes: 6 additions & 6 deletions lockfiles/py39/requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -346,9 +346,9 @@ keystoneauth1==5.11.1 \
# via
# python-keystoneclient
# python-novaclient
linuxfabrik-lib==5.1.0 \
--hash=sha256:163f97ba1fd33edcbcc4493d4c1dc4abbd36c6bf847bd111cfee0ab3bce6c9f5 \
--hash=sha256:1f675c9564b5cea0696b1b7a80b502853852507b867c4db579fe97e9054b2296
linuxfabrik-lib==6.0.0 \
--hash=sha256:11fc6fa367e79f2bf5a4dad19989fdebf7fc241438474b88de0037d525ac168e \
--hash=sha256:33fa394bce2a2fb40ff6ac01e411d913adccbacc2e7913c7fe808380613cf56f
# via -r requirements.in
lxml==6.1.0 \
--hash=sha256:00750d63ef0031a05331b9223463b1c7c02b9004cef2346a5b2877f0f9494dd2 \
Expand Down Expand Up @@ -777,9 +777,9 @@ smbprotocol==1.16.1 \
# via
# -r requirements.in
# linuxfabrik-lib
soupsieve==2.8.3 \
--hash=sha256:3267f1eeea4251fb42728b6dfb746edc9acaffc4a45b27e19450b676586e8349 \
--hash=sha256:ed64f2ba4eebeab06cc4962affce381647455978ffc1e36bb79a545b91f45a95
soupsieve==2.8.4 \
--hash=sha256:e121fd02e975c695e4e9e8774a5ee35d74714b59307868dcc5319ad2d9e3328e \
--hash=sha256:e7e6b0769c8f51ed59acab6e994b00621096cfb1c640a7509295987388fbaf65
# via beautifulsoup4
stevedore==5.5.0 \
--hash=sha256:18363d4d268181e8e8452e71a38cd77630f345b2ef6b4a8d5614dac5ee0d18cf \
Expand Down