|
| 1 | +# Automatically merge a Dependabot PR. |
| 2 | +# Should ONLY be used when the default branch is protected with CI check requirements. |
| 3 | +# |
| 4 | +# Users must opt into merging upgrades by ecosystem and semver gap, e.g. "minor upgrades to github actions" or "patch upgrades to npm". |
| 5 | +# Accepting major upgrades implies accepting minor and patch. Accepting minor implies patch. |
| 6 | +# |
| 7 | +# This should be called on: |
| 8 | +# - pull_request.{opened,reopened,synchronize}: ideally filtered to lockfile paths (e.g. go.sum, yarn.lock) |
| 9 | + |
| 10 | +# IDEA: maybe filter by package name? Could be workflow inputs, or we clone the repo's default branch and look for a `.github/automerge-allowlist.txt` or something. |
| 11 | + |
| 12 | +on: |
| 13 | + workflow_call: |
| 14 | + inputs: |
| 15 | + all: |
| 16 | + required: false |
| 17 | + type: string |
| 18 | + default: none |
| 19 | + description: | |
| 20 | + Upgrades to automatically merge. Valid values are: all, none, major, minor, patch. |
| 21 | +
|
| 22 | + # Prefer alphabetical, but "all" is special. |
| 23 | + actions: |
| 24 | + required: false |
| 25 | + type: string |
| 26 | + default: none |
| 27 | + description: | |
| 28 | + GitHub Actions upgrades to automatically merge. Valid values are: all, none, major, minor, patch. |
| 29 | + npm: |
| 30 | + required: false |
| 31 | + type: string |
| 32 | + default: none |
| 33 | + description: | |
| 34 | + NPM upgrades to automatically merge. Valid values are: all, none, major, minor, patch. |
| 35 | +
|
| 36 | +permissions: {} |
| 37 | + |
| 38 | +jobs: |
| 39 | + automerge: |
| 40 | + runs-on: ubuntu-latest |
| 41 | + if: github.actor == 'dependabot[bot]' |
| 42 | + permissions: |
| 43 | + contents: write |
| 44 | + pull-requests: write |
| 45 | + steps: |
| 46 | + - name: Validate inputs |
| 47 | + run: | |
| 48 | + echo "all=${{ inputs.all }}" |
| 49 | + if [[ ! "${{ inputs.all }}" =~ ^(all|none|major|minor|patch)$ ]]; then |
| 50 | + echo "Invalid input: all=${{ inputs.all }}" |
| 51 | + exit 1 |
| 52 | + fi |
| 53 | +
|
| 54 | + echo "actions=${{ inputs.actions }}" |
| 55 | + if [[ ! "${{ inputs.actions }}" =~ ^(all|none|major|minor|patch)$ ]]; then |
| 56 | + echo "Invalid input: actions=${{ inputs.actions }}" |
| 57 | + exit 1 |
| 58 | + fi |
| 59 | +
|
| 60 | + echo "npm=${{ inputs.npm }}" |
| 61 | + if [[ ! "${{ inputs.npm }}" =~ ^(all|none|major|minor|patch)$ ]]; then |
| 62 | + echo "Invalid input: npm=${{ inputs.npm }}" |
| 63 | + exit 1 |
| 64 | + fi |
| 65 | +
|
| 66 | + - name: Retrieve Dependabot metadata |
| 67 | + id: metadata |
| 68 | + uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 |
| 69 | + with: |
| 70 | + github-token: ${{ secrets.GITHUB_TOKEN }} |
| 71 | + |
| 72 | + - name: Merge GitHub Actions update |
| 73 | + if: | |
| 74 | + steps.metadata.outputs.package-ecosystem == 'github_actions' && |
| 75 | + ( |
| 76 | + (inputs.all == 'all' || inputs.actions == 'all') || |
| 77 | + ( |
| 78 | + steps.metadata.outputs.update-type == 'version-update:semver-major' && |
| 79 | + (inputs.all == 'major' || inputs.actions == 'major') |
| 80 | + ) || |
| 81 | + ( |
| 82 | + steps.metadata.outputs.update-type == 'version-update:semver-minor' && |
| 83 | + ( |
| 84 | + (inputs.all == 'major' || inputs.actions == 'major') || |
| 85 | + (inputs.all == 'minor' || inputs.actions == 'minor') |
| 86 | + ) |
| 87 | + ) || |
| 88 | + ( |
| 89 | + steps.metadata.outputs.update-type == 'version-update:semver-patch' && |
| 90 | + (inputs.all != 'none' || inputs.actions != 'none') |
| 91 | + ) |
| 92 | + ) |
| 93 | + env: |
| 94 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 95 | + MERGE_ALL: ${{ inputs.all }} |
| 96 | + MERGE_ECOSYSTEM: ${{ inputs.actions }} |
| 97 | + UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} |
| 98 | + PR_URL: ${{ github.event.pull_request.html_url }} |
| 99 | + run: | |
| 100 | + gh pr review --approve --body "Merging this \`${UPDATE_TYPE}\` update (actions: \`${MERGE_ECOSYSTEM}\`, all: \`${MERGE_ALL}\`)" "$PR_URL" |
| 101 | + gh pr merge --auto --merge "$PR_URL" |
| 102 | +
|
| 103 | + - name: Merge NPM update |
| 104 | + if: | |
| 105 | + steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' && |
| 106 | + ( |
| 107 | + (inputs.all == 'all' || inputs.npm == 'all') || |
| 108 | + ( |
| 109 | + steps.metadata.outputs.update-type == 'version-update:semver-major' && |
| 110 | + (inputs.all == 'major' || inputs.npm == 'major') |
| 111 | + ) || |
| 112 | + ( |
| 113 | + steps.metadata.outputs.update-type == 'version-update:semver-minor' && |
| 114 | + ( |
| 115 | + (inputs.all == 'major' || inputs.npm == 'major') || |
| 116 | + (inputs.all == 'minor' || inputs.npm == 'minor') |
| 117 | + ) |
| 118 | + ) || |
| 119 | + ( |
| 120 | + steps.metadata.outputs.update-type == 'version-update:semver-patch' && |
| 121 | + (inputs.all != 'none' || inputs.npm != 'none') |
| 122 | + ) |
| 123 | + ) |
| 124 | + env: |
| 125 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 126 | + MERGE_ALL: ${{ inputs.all }} |
| 127 | + MERGE_ECOSYSTEM: ${{ inputs.npm }} |
| 128 | + UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} |
| 129 | + PR_URL: ${{ github.event.pull_request.html_url }} |
| 130 | + run: | |
| 131 | + gh pr review --approve --body "Merging this \`${UPDATE_TYPE}\` update (npm: \`${MERGE_ECOSYSTEM}\`, all: \`${MERGE_ALL}\`)" "$PR_URL" |
| 132 | + gh pr merge --auto --merge "$PR_URL" |
0 commit comments