diff --git a/.github/workflows/combine-dependabot-prs.yml b/.github/workflows/combine-dependabot-prs.yml new file mode 100644 index 0000000..ba6f531 --- /dev/null +++ b/.github/workflows/combine-dependabot-prs.yml @@ -0,0 +1,67 @@ +name: "Combine PRs" + +on: + workflow_call: + inputs: + branchPrefix: + description: "Branch prefix to find combinable PRs based on" + default: "dependabot" + type: string + mustBeGreen: + description: "Only combine PRs that are green (status is success)" + default: true + type: boolean + combineBranchName: + description: "Name of the branch to combine PRs into" + default: "combine-dependabot-PRs" + type: string + ignoreLabel: + description: "Exclude PRs with this label" + default: "nocombine" + type: string + + # Allow manual triggering of the workflow for this repo + workflow_dispatch: + inputs: + branchPrefix: + description: "Branch prefix to find combinable PRs based on" + default: "dependabot" + type: string + mustBeGreen: + description: "Only combine PRs that are green (status is success)" + default: true + type: boolean + combineBranchName: + description: "Name of the branch to combine PRs into" + default: "combine-dependabot-PRs" + type: string + ignoreLabel: + description: "Exclude PRs with this label" + default: "nocombine" + type: string + +jobs: + combine-prs: + runs-on: ubuntu-22.04 + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + with: + repository: NHSDigital/eps-workflow-dependabot + sparse-checkout-cone-mode: false + sparse-checkout: | + combine-prs.js + + - name: Create Combined PR + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd + id: create-combined-pr + env: + branchPrefix: ${{ inputs.branchPrefix }} + mustBeGreen: ${{ inputs.mustBeGreen }} + combineBranchName: ${{ inputs.combineBranchName }} + ignoreLabel: ${{ inputs.ignoreLabel }} + with: + github-token: ${{secrets.GITHUB_TOKEN}} + script: | + const combinePRs = require('./combine-prs.js'); + await combinePRs({ github, context, core }); diff --git a/.github/workflows/dependabot-auto-approve-and-merge.yml b/.github/workflows/dependabot-auto-approve-and-merge.yml new file mode 100644 index 0000000..8c392c0 --- /dev/null +++ b/.github/workflows/dependabot-auto-approve-and-merge.yml @@ -0,0 +1,61 @@ +name: Dependabot auto-approve + +on: + workflow_call: + secrets: + AUTOMERGE_APP_ID: + required: true + AUTOMERGE_PEM: + required: true + +permissions: + pull-requests: write + contents: write + +jobs: + dependabot: + runs-on: ubuntu-22.04 + if: ${{ github.actor == 'dependabot[bot]' }} + steps: + - name: Get token from Github App + id: get_app_token + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 + with: + app-id: ${{ secrets.AUTOMERGE_APP_ID }} + private-key: ${{ secrets.AUTOMERGE_PEM }} + + - name: Dependabot metadata + id: dependabot-metadata + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Approve patch and minor updates + if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor'}} + run: gh pr review "$PR_URL" --approve -b "I'm **approving** this pull request because **it includes a patch or minor update**" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }} + + - name: Approve major updates of development dependencies + if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:development'}} + run: gh pr review "$PR_URL" --approve -b "I'm **approving** this pull request because **it includes a major update of a dependency used only in development**" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }} + + - name: Comment on major updates of non-development dependencies + if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:production'}} + run: | + gh pr comment "$PR_URL" --body "I'm **not approving** this PR because **it includes a major update of a dependency used in production**" + gh pr edit "$PR_URL" --add-label "requires-manual-qa" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }} + + # enable auto merge on all dependabot prs + - name: Enable auto-merge for Dependabot PRs + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{ steps.get_app_token.outputs.token }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 8a8d852..158214d 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -10,7 +10,7 @@ env: jobs: dependabot-auto-approve-and-merge: needs: quality_checks - uses: NHSDigital/eps-workflow-dependabot/.github/workflows/dependabot-auto-approve-and-merge.yml@4b56ed8edd7c5357fd0123a2bd84b3429d3a6b20 + uses: ./.github/workflows/dependabot-auto-approve-and-merge.yml secrets: AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }} AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}