Dependabot auto-merge #959
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot auto-merge | |
| on: | |
| # Use pull_request_target instead of pull_request to get elevated permissions | |
| # This is safe for Dependabot PRs because: | |
| # 1. We verify the PR author is dependabot[bot] | |
| # 2. We don't check out or run code from the PR | |
| # 3. We only enable auto-merge, which requires branch protection to pass | |
| pull_request_target: | |
| types: [opened, reopened, synchronize] | |
| pull_request_review: | |
| types: [submitted] | |
| check_suite: | |
| types: [completed] | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| dependabot: | |
| runs-on: ubuntu-latest | |
| if: | | |
| (github.event_name == 'pull_request_target' && github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.base.ref == 'main') || | |
| (github.event_name == 'pull_request_review' && github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.base.ref == 'main') || | |
| (github.event_name == 'check_suite' && github.event.check_suite.pull_requests[0] != null && startsWith(github.event.check_suite.head_branch, 'dependabot/')) | |
| steps: | |
| - name: Get PR details | |
| id: pr | |
| run: | | |
| if [ "${{ github.event_name }}" = "check_suite" ]; then | |
| PR_NUMBER="${{ github.event.check_suite.pull_requests[0].number }}" | |
| if [ -z "$PR_NUMBER" ] || [ "$PR_NUMBER" = "null" ] || ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then | |
| echo "No valid PR number found in check_suite event (got: $PR_NUMBER)" | |
| exit 1 | |
| fi | |
| PR_JSON=$(gh pr view "$PR_NUMBER" --repo "${{ github.repository }}" --json author,baseRefName) | |
| AUTHOR=$(echo "$PR_JSON" | jq -r '.author.login') | |
| BASE_REF=$(echo "$PR_JSON" | jq -r '.baseRefName') | |
| { | |
| echo "author=$AUTHOR" | |
| echo "base_ref=$BASE_REF" | |
| echo "number=$PR_NUMBER" | |
| } >> "$GITHUB_OUTPUT" | |
| else | |
| # For pull_request_target and pull_request_review, use event data | |
| { | |
| echo "author=${{ github.event.pull_request.user.login }}" | |
| echo "base_ref=${{ github.event.pull_request.base.ref }}" | |
| echo "number=${{ github.event.pull_request.number }}" | |
| } >> "$GITHUB_OUTPUT" | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Enable auto-merge for Dependabot PRs | |
| if: steps.pr.outputs.author == 'dependabot[bot]' && steps.pr.outputs.base_ref == 'main' | |
| shell: bash | |
| run: | | |
| set -o pipefail | |
| if ! gh pr merge --auto --merge "${{ steps.pr.outputs.number }}" --repo "${{ github.repository }}" 2>&1 | tee /tmp/gh-output.txt; then | |
| if grep -qE "auto-merge is already enabled|[Rr]equired.*status.*check|[Rr]equired approving review|[Rr]equired.*review" /tmp/gh-output.txt; then | |
| echo "Auto-merge not enabled yet - this is expected when requirements are not met or already enabled" | |
| exit 0 | |
| else | |
| echo "Unexpected error enabling auto-merge:" | |
| cat /tmp/gh-output.txt | |
| exit 1 | |
| fi | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.WORKFLOW_PAT }} |