From edc9bcb97ba9fa0506160485282f935a52a73382 Mon Sep 17 00:00:00 2001 From: Pierre Brisorgueil Date: Tue, 17 Feb 2026 16:45:45 +0100 Subject: [PATCH] chore: modernize Dependabot auto-merge workflow Replace third-party ahmadnassri action + WAOS PAT with official approach: - Use dependabot/fetch-metadata@v2 to detect update type - Auto-approve and enable auto-merge for patch/minor updates only - Use GITHUB_TOKEN instead of WAOS PAT (auto-merge enabled on repo) - Gate on github.actor == 'dependabot[bot]' to avoid running on all PRs - Remove unused issues: write permission --- .github/workflows/dependabot.yml | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index 8db3f61a1..457500971 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -8,9 +8,24 @@ permissions: jobs: auto-merge: runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' steps: - - uses: actions/checkout@v4 - - uses: ahmadnassri/action-dependabot-auto-merge@v2 - with: - target: minor - github-token: ${{ secrets.WAOS }} + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + - name: Approve patch and minor updates + if: | + steps.metadata.outputs.update-type == 'version-update:semver-patch' || + steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Enable auto-merge for patch and minor updates + if: | + steps.metadata.outputs.update-type == 'version-update:semver-patch' || + steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}