Skip to content

Commit cd1f4e0

Browse files
committed
ci: auto-merge minor and patch GitHub Actions Dependabot updates
Enable auto-merge only for github_actions minor/patch bumps; majors and other ecosystems still need a human. The default GITHUB_TOKEN lacks the workflows scope and is refused on PRs that touch .github/workflows, so use the dunglas-release app token scoped to contents/pull-requests/workflows, run from an unprotected dependabot environment. zizmor ignores the required pull_request_target trigger for this guarded workflow.
1 parent b9a30e7 commit cd1f4e0

2 files changed

Lines changed: 42 additions & 0 deletions

File tree

.github/workflows/dependabot.yaml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
name: Dependabot Auto-Merge
2+
on:
3+
pull_request_target:
4+
branches:
5+
- main
6+
permissions: {}
7+
jobs:
8+
auto-merge:
9+
runs-on: ubuntu-latest
10+
environment: dependabot
11+
if: github.event.pull_request.user.login == 'dependabot[bot]'
12+
steps:
13+
# The default GITHUB_TOKEN lacks the `workflows` scope and is refused on
14+
# PRs that touch .github/workflows; use the release app token instead.
15+
- uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
16+
id: app-token
17+
with:
18+
app-id: ${{ vars.RELEASE_APP_ID }}
19+
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
20+
permission-contents: write
21+
permission-pull-requests: write
22+
permission-workflows: write
23+
- name: Fetch Dependabot metadata
24+
id: metadata
25+
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
26+
with:
27+
github-token: ${{ steps.app-token.outputs.token }}
28+
# Only minor and patch GitHub Actions bumps auto-merge; majors and other
29+
# ecosystems wait for a human review.
30+
- name: Auto-merge minor and patch GitHub Actions updates
31+
if: steps.metadata.outputs.package-ecosystem == 'github_actions' && steps.metadata.outputs.update-type != 'version-update:semver-major'
32+
env:
33+
GH_TOKEN: ${{ steps.app-token.outputs.token }}
34+
PR_URL: ${{ github.event.pull_request.html_url }}
35+
run: |
36+
gh pr review --approve "${PR_URL}"
37+
gh pr merge --auto --squash "${PR_URL}"

zizmor.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
11
---
22
rules:
3+
# Dependabot auto-merge requires pull_request_target to obtain repo-write
4+
# permissions; the job is guarded by an `if:` check on the PR author.
5+
dangerous-triggers:
6+
ignore:
7+
- dependabot.yaml
38
secrets-outside-env:
49
config:
510
allow:

0 commit comments

Comments
 (0)