fix: make CI workflows run after pushing excemptions for cargo-vet

This commits changes the CI for dependabot PRs such that initially, only the exemptions for cargo vet are regenerated and pushed to the PR. Only after that, all other workflows are triggered. This ensures that the CI result for dependabot PRs is properly presented on github.
2026-02-27 14:03:11 -08:00 · 2025-05-14 16:51:54 +02:00
parent db9d0b642b
commit 3d724f04d4
9 changed files with 178 additions and 26 deletions
--- a/.github/workflows/supply-chain.yml
+++ b/.github/workflows/supply-chain.yml
@@ -3,6 +3,10 @@ on:
  pull_request:
  push:
    branches: [main]
+  workflow_run:
+    workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
+    types:
+      - completed

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -10,12 +14,16 @@ concurrency:

 jobs:
  cargo-deny:
+    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
+    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Deny dependencies with vulnerabilities or incompatible licenses
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: EmbarkStudios/cargo-deny-action@v2
  cargo-supply-chain:
+    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
+    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Supply Chain Report
    runs-on: ubuntu-latest
    steps:
@@ -44,10 +52,10 @@ jobs:
        run: cargo supply-chain crates
    # The setup for cargo-vet follows the recommendations in the cargo-vet documentation: https://mozilla.github.io/cargo-vet/configuring-ci.html
  cargo-vet:
+    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
+    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Vet Dependencies
    runs-on: ubuntu-latest
-    permissions:
-      contents: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v4
@@ -69,23 +77,5 @@ jobs:
        run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
      - name: Ensure that the tool cache is populated with the cargo-vet binary
        run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
-      - name: Regenerate vet exemptions for dependabot PRs
-        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
-        run: cargo vet regenerate exemptions
-      - name: Check for changes in case of dependabot PR
-        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
-        run: git diff --exit-code || echo "Changes detected, committing..."
-      - name: Commit and push changes for dependabot PRs
-        if: success() && github.actor == 'dependabot[bot]'
-        run: |
-          git fetch origin ${{ github.head_ref }}
-          git switch ${{ github.head_ref }}
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions@github.com"
-          git add supply-chain/*
-          git commit -m "Regenerate cargo vet exemptions"
-          git push origin ${{ github.head_ref }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Invoke cargo-vet
        run: cargo vet --locked