Revert "fix: make CI workflows run after pushing excemptions for cargo-vet (#652)"

This reverts commit bbd7e7bb72, reversing changes made to db9d0b642b.
2026-02-27 14:03:11 -08:00 · 2025-05-30 13:15:37 +02:00
parent 64ff326e14
commit dd105a4491
9 changed files with 26 additions and 178 deletions
--- a/.github/workflows/supply-chain.yml
+++ b/.github/workflows/supply-chain.yml
@@ -3,10 +3,6 @@ on:
  pull_request:
  push:
    branches: [main]
-  workflow_run:
-    workflows: [Regenerate cargo-vet exemptions for dependabot-PRs]
-    types:
-      - completed

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,16 +10,12 @@ concurrency:

 jobs:
  cargo-deny:
-    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
-    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Deny dependencies with vulnerabilities or incompatible licenses
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: EmbarkStudios/cargo-deny-action@v2
  cargo-supply-chain:
-    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
-    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Supply Chain Report
    runs-on: ubuntu-latest
    steps:
@@ -52,10 +44,10 @@ jobs:
        run: cargo supply-chain crates
    # The setup for cargo-vet follows the recommendations in the cargo-vet documentation: https://mozilla.github.io/cargo-vet/configuring-ci.html
  cargo-vet:
-    # Only run this for dependabot PRs if it's triggered by the workflow to regenerate cargo-vet exemptions
-    if: ${{ github.actor != 'dependabot[bot]' || github.event_name == 'workflow_run' }}
    name: Vet Dependencies
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v4
@@ -77,5 +69,23 @@ jobs:
        run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
      - name: Ensure that the tool cache is populated with the cargo-vet binary
        run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
+      - name: Regenerate vet exemptions for dependabot PRs
+        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
+        run: cargo vet regenerate exemptions
+      - name: Check for changes in case of dependabot PR
+        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
+        run: git diff --exit-code || echo "Changes detected, committing..."
+      - name: Commit and push changes for dependabot PRs
+        if: success() && github.actor == 'dependabot[bot]'
+        run: |
+          git fetch origin ${{ github.head_ref }}
+          git switch ${{ github.head_ref }}
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions@github.com"
+          git add supply-chain/*
+          git commit -m "Regenerate cargo vet exemptions"
+          git push origin ${{ github.head_ref }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Invoke cargo-vet
        run: cargo vet --locked