add readme, labels

Author: jakecoffman

.github/workflows/example.yml

@@ -10,9 +10,6 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
       - name: Download CLI
         env:
           # To use GitHub CLI in a GitHub Actions workflow, set the GH_TOKEN environment variable.

.gitignore

@@ -0,0 +1 @@
+result.jsonl

README.md

@@ -0,0 +1,23 @@
+# Example CLI Usage
+
+This repo serves as an example of how to use Dependabot CLI for updates. It is intended as a starting point for advanced users to run a self-hosted version of Dependabot within their own projects.
+
+If you're looking for a hassle-free Dependabot experience, check out the hosted [Dependabot Service](https://docs.github.com/en/github/administering-a-repository/about-dependabot-version-updates).
+
+This repo uses an Action which downloads and runs Dependabot CLI. To run the Action you would go to [the Action in the Actions tab](https://github.com/dependabot/example-cli-usage/actions/workflows/example.yml), and run it.
+
+To see what the results look like, go check out the Pull Requests.
+
+## Implementation details
+
+The Action is defined at [.github/workflows/example.yml](.github/workflows/example.yml).
+
+It contains two jobs, the first downloads and runs Dependabot CLI. The input for the Dependabot CLI job is [.github/dependabot/go.yml](.github/dependabot/go.yml). See the [Dependabot CLI repo](https://github.com/dependabot/cli) for more info on inputs such as credentials and groupings. 
+
+The results are redirected to a file and uploaded as artifacts.
+
+The second job downloads the artifact and creates PRs from it using the script [create.sh](create.sh).
+
+The reason there are two jobs is Dependabot CLI should only run with read-only tokens as some ecosystem may execute arbitrary code. To achieve that in Actions we must use two jobs with `permissions` defined differently.
+
+Also take a look at the [Dependabot Smoke Tests repo](https://github.com/dependabot/smoke-tests/tree/main/tests) for example inputs and expected outputs.

create.sh

@@ -26,7 +26,7 @@ jq -c 'select(.type == "create_pull_request")' "$INPUT" | while read -r event; d
   PR_TITLE=$(echo "$event" | jq -r '.data."pr-title"')
   PR_BODY=$(echo "$event" | jq -r '.data."pr-body"')
   COMMIT_MSG=$(echo "$event" | jq -r '.data."commit-message"')
-  BRANCH_NAME="dependabot/$(echo "$PR_TITLE" | tr ' /' '__' | tr -cd '[:alnum:]_-')"
+  BRANCH_NAME="dependabot-$(echo -n "$COMMIT_MSG" | sha1sum | awk '{print $1}')"
 
   echo "Processing PR: $PR_TITLE"
   echo "  Base SHA: $BASE_SHA"
@@ -55,7 +55,7 @@ jq -c 'select(.type == "create_pull_request")' "$INPUT" | while read -r event; d
   git push origin "$BRANCH_NAME"
 
   # Create PR using gh CLI
-  gh pr create --title "$PR_TITLE" --body "$PR_BODY" --base main --head "$BRANCH_NAME" || true
+  gh pr create --title "$PR_TITLE" --body "$PR_BODY" --base main --head "$BRANCH_NAME" --label dependencies || true
 
   # Return to main branch for next PR
   git checkout main