name: Dependabot Pull Request Approve and Merge on: pull_request_target permissions: contents: read jobs: dependabot: permissions: pull-requests: write contents: write runs-on: ubuntu-latest # Checking the actor will prevent your Action run failing on non-Dependabot # PRs but also ensures that it only does work for Dependabot PRs. if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' steps: - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: audit - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 id: app-token env: APP_ID: ${{ secrets.APP_ID }} with: app-id: ${{ env.APP_ID }} private-key: ${{ secrets.PRIVATE_KEY }} # This first step will fail if there's no metadata and so the approval # will not occur. - name: Dependabot metadata id: dependabot-metadata uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 with: github-token: "${{ steps.app-token.outputs.token }}" # Here the PR gets approved. - name: Approve a PR run: gh pr review --approve "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}" # Finally, this sets the PR to allow auto-merging for patch and minor # updates if all checks pass - name: Enable auto-merge for Dependabot PRs if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' }} run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"