Configure Dependabot (#518)

* Add dependabot v2 config * Add "Dependabot auto-approve" GHA workflow * Make Dependabot manage api/ and web/ package.json files * Configure Dependabot for Python
usdigitalresponse · Dec 3, 2024 · 3f216e9 · 3f216e9
1 parent b8353d4
commit 3f216e9
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,43 @@
+# yaml-language-server: $schema=https://json.schemastore.org/dependabot-2.0.json
+
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: npm
+    versioning-strategy: lockfile-only
+    directories:
+      - /
+      - /api
+      - /web
+    schedule:
+      interval: daily
+      time: "03:00"
+      timezone: America/New_York
+    commit-message:
+      prefix: 'Chore [deps:npm]'
+  - package-ecosystem: pip
+    directory: /python
+    schedule:
+      interval: daily
+      time: "03:00"
+      timezone: America/New_York
+    commit-message:
+      prefix: 'Chore [deps:pip]'
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+      time: "03:00"
+      timezone: America/New_York
+    commit-message:
+      prefix: 'Chore [deps:github-actions]'
+  - package-ecosystem: terraform
+    directory: /terraform
+    schedule:
+      interval: daily
+      time: "03:00"
+      timezone: America/New_York
+    commit-message:
+      prefix: 'Chore [deps:terraform]'
diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml
@@ -0,0 +1,40 @@
+# Automatically approves pull requests if:
+#   1. The PR was opened by Dependabot
+#   2. The dependency's semantic versioning change is either minor or patch (not major)
+name: Dependabot auto-approve
+on: pull_request_target
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+      - name: Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0
+      - name: Approve a PR if dependency semver changes are minor or patch
+        if: ${{ contains(fromJson('["version-update:semver-patch", "version-update:semver-minor"]'), steps.dependabot-metadata.outputs.update-type) }}
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Enable auto-merge if dependency semver changes are minor or patch
+        if: ${{ contains(fromJson('["version-update:semver-patch", "version-update:semver-minor"]'), steps.dependabot-metadata.outputs.update-type) }}
+        run: |
+          echo "Enabling auto-merge for Dependabot $UPDATE_TYPE"
+          gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          UPDATE_TYPE: ${{ steps.dependabot-metadata.outputs.update-type }}