From 1b0e7da8c041148fb8c46165bbe9509530276a22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20H=C3=B6ltje?= Date: Sat, 20 Jul 2024 15:51:36 -0400 Subject: [PATCH] enable auto-merge for dependabot & docwhat --- .github/CODEOWNERS | 5 ++ .github/workflows/auto-merge-dependabot.yaml | 56 ++++++++++++++++++++ .github/workflows/auto-merge-docwhat.yaml | 33 ++++++++++++ 3 files changed, 94 insertions(+) create mode 100644 .github/CODEOWNERS create mode 100644 .github/workflows/auto-merge-dependabot.yaml create mode 100644 .github/workflows/auto-merge-docwhat.yaml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..8352539 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +/.github/ @docwhat + +* @docwhat + +# EOF diff --git a/.github/workflows/auto-merge-dependabot.yaml b/.github/workflows/auto-merge-dependabot.yaml new file mode 100644 index 0000000..5bd2e97 --- /dev/null +++ b/.github/workflows/auto-merge-dependabot.yaml @@ -0,0 +1,56 @@ +name: Automatically Update Dependencies + +# `pull_request_target` grants access to secrets and runs in the scope of the *destination* branch. +# Specifically we listen for the labelled event. +on: + pull_request_target: + types: + # Dependabot will label the PR + - labeled + # Dependabot has rebased the PR + - synchronize + +permissions: + contents: read + +jobs: + enable-dependabot-automerge: + name: Enable auto-merge for Dependabot PRs + runs-on: ubuntu-latest + permissions: + # enable-automerge is a graphql query, not REST, so isn't documented, + # except in a mention in + # https://github.blog/changelog/2021-02-04-pull-request-auto-merge-is-now-generally-available/ + # which says "can only be enabled by users with permissino to merge"; the + # REST documentation says you need contents: write to perform a merge. + # https://github.community/t/what-permission-does-a-github-action-need-to-call-graphql-enablepullrequestautomerge/197708 + # says this is it + contents: write + # Specifically check the creator of the pull-request, not the actor. + if: github.event.pull_request.user.login == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies') + + steps: + - name: Enable GitHub Auto-Merge + # Reference by commit SHA as it is an immutable reference to a + # known, "trusted" version of this 3rd party code. + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + approve-dependabot: + needs: enable-dependabot-automerge + runs-on: ubuntu-latest + permissions: + # https://github.com/hmarr/auto-approve-action/issues/183 says + # auto-approve-action requires write on pull-requests + pull-requests: write + # Specifically check the creator of the pull-request, not the actor. + if: github.event.pull_request.user.login == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies') + steps: + - name: Approve dependabot PRs + # Reference by commit SHA as it is an immutable reference to a + # known, "trusted" version of this 3rd party code. + uses: hmarr/auto-approve-action@8f929096a962e83ccdfa8afcf855f39f12d4dac7 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" +# EOF diff --git a/.github/workflows/auto-merge-docwhat.yaml b/.github/workflows/auto-merge-docwhat.yaml new file mode 100644 index 0000000..e9251f0 --- /dev/null +++ b/.github/workflows/auto-merge-docwhat.yaml @@ -0,0 +1,33 @@ +name: Auto-Merge for docwhat + +# `pull_request_target` grants access to secrets and runs in the scope of the *destination* branch. +# Specifically we listen for the labelled event. +on: + pull_request_target: + types: + - labeled + +permissions: + contents: read + +jobs: + enable-auto-merge-for-docwhat: + name: Enable Auto-Merge for docwhat + runs-on: ubuntu-latest + permissions: + # enable-automerge is a graphql query, not REST, so isn't documented, + # except in a mention in + # https://github.blog/changelog/2021-02-04-pull-request-auto-merge-is-now-generally-available/ + # which says "can only be enabled by users with permissino to merge"; the + # REST documentation says you need contents: write to perform a merge. + # https://github.community/t/what-permission-does-a-github-action-need-to-call-graphql-enablepullrequestautomerge/197708 + # says this is it + contents: write + # Specifically check that dependabot (or another trusted party) created this pull-request, and that it has been labelled correctly. + if: github.event.pull_request.user.login == 'docwhat' + steps: + - name: Enable GitHub Auto-Merge + uses: alexwilson/enable-github-automerge-action@56e3117d1ae1540309dc8f7a9f2825bc3c5f06ff + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" +# EOF