|
1 | 1 | # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request |
| 2 | +# https://nicolasiensen.github.io/2022-07-23-automating-dependency-updates-with-dependabot-github-auto-merge-and-github-actions/ |
2 | 3 |
|
3 | 4 | name: auto_merge |
4 | | -on: # pull_request, push, workflow_dispatch |
| 5 | + |
| 6 | +on: # pull_request, pull_request_target, push, workflow_dispatch |
5 | 7 | pull_request: |
| 8 | + pull_request_target: |
6 | 9 | workflow_dispatch: |
7 | 10 | push: |
8 | 11 | release: |
9 | 12 | types: [published] |
10 | 13 |
|
11 | 14 | permissions: |
12 | 15 | pull-requests: write |
| 16 | + contents: write |
13 | 17 |
|
14 | 18 | jobs: |
15 | | - dependabot: |
| 19 | + review-dependabot-pr: |
16 | 20 | runs-on: ubuntu-latest |
17 | | - if: ${{ github.actor == 'dependabot[bot]' }} |
| 21 | + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} |
18 | 22 | steps: |
19 | 23 | - name: Dependabot metadata |
20 | | - id: metadata |
21 | | - uses: dependabot/fetch-metadata@v1.1.1 |
22 | | - with: |
23 | | - github-token: "${{ secrets.GITHUB_TOKEN }}" |
24 | | - - name: Approve a PR |
25 | | - run: gh pr review --approve "$PR_URL" |
| 24 | + id: dependabot-metadata |
| 25 | + uses: dependabot/fetch-metadata@v1.3.1 |
| 26 | + - name: Enable auto-merge for Dependabot PRs |
| 27 | + run: gh pr merge --auto --merge "$PR_URL" |
26 | 28 | env: |
27 | | - PR_URL: ${{ github.event.pull_request.html_url }} |
28 | | - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
29 | | - - name: Merge a PR |
30 | | - run: gh pr merge "$PR_URL" --auto --squash |
| 29 | + PR_URL: ${{github.event.pull_request.html_url}} |
| 30 | + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |
| 31 | + - name: Approve patch and minor updates |
| 32 | + if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor'}} |
| 33 | + run: gh pr review $PR_URL --approve -b "I'm **approving** this pull request because **it includes a patch or minor update**" |
31 | 34 | env: |
32 | | - PR_URL: ${{ github.event.pull_request.html_url }} |
33 | | - auto-rebase: |
34 | | - name: rebase dependabot PRs |
35 | | - runs-on: ubuntu-latest |
36 | | - if: github.ref == 'refs/heads/main' || github.event == 'release' |
37 | | - timeout-minutes: 5 |
38 | | - steps: |
39 | | - - name: rebase |
40 | | - uses: "bbeesley/gha-auto-dependabot-rebase@main" |
| 35 | + PR_URL: ${{github.event.pull_request.html_url}} |
| 36 | + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |
| 37 | + - name: Approve major updates of development dependencies |
| 38 | + if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:development'}} |
| 39 | + run: gh pr review $PR_URL --approve -b "I'm **approving** this pull request because **it includes a major update of a dependency used only in development**" |
| 40 | + env: |
| 41 | + PR_URL: ${{github.event.pull_request.html_url}} |
| 42 | + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |
| 43 | + - name: Comment on major updates of non-development dependencies |
| 44 | + if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:production'}} |
| 45 | + run: | |
| 46 | + gh pr comment $PR_URL --body "I'm **not approving** this PR because **it includes a major update of a dependency used in production**" |
| 47 | + gh pr edit $PR_URL --add-label "requires-manual-qa" |
41 | 48 | env: |
42 | | - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 49 | + PR_URL: ${{github.event.pull_request.html_url}} |
| 50 | + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |
0 commit comments