Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions .github/workflows/dependabot-merge.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -85,13 +85,15 @@ jobs:
private-key: ${{ secrets.app-private-key }}
# ff-merge moves the ref (contents) and reads/approves the PR (pull-requests),
# needs workflows to move a ref whose commits touch .github/workflows/ files,
# and reads the head commit's check-run rollup (checks); the approval
# (minor/patch only) is the authorization gate, not maintainer-only, so no
# administration scope is needed.
# and reads the head commit's status rollup — Checks-API check runs (checks)
# plus legacy commit statuses (statuses); the approval (minor/patch only) is
# the authorization gate, not maintainer-only, so no administration scope is
# needed.
permission-contents: write
permission-pull-requests: write
permission-workflows: write
permission-checks: read
permission-statuses: read

- name: Resolve the Dependabot PR and assess the update policy
id: assess
Expand Down
32 changes: 20 additions & 12 deletions .github/workflows/merge.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -122,13 +122,15 @@ jobs:
# PR's linked issues (issues), moves a ref whose commits touch
# .github/workflows/ files (workflows — GitHub rejects any ref update that
# adds or edits a workflow file without it), and reads the head commit's
# check-run rollup to confirm every required check is green (checks).
# status rollup to confirm every required check is green — Checks-API check
# runs (checks) plus legacy commit statuses (statuses).
permission-contents: write
permission-pull-requests: write
permission-administration: read
permission-workflows: write
permission-issues: write
permission-checks: read
permission-statuses: read

- name: Fast-forward merge
uses: bitwise-media-group/ff-merge@261714459a53c43ba032fe0e3a3e6f3ab8fd14de # v1.2.0
Expand Down Expand Up @@ -168,13 +170,15 @@ jobs:
# Labels and comments on the PR (pull-requests), closes the PR's linked
# issues (issues), and moves the ref via the best-effort ff-merge (contents),
# which also needs workflows when the merge touches .github/workflows/ files
# and checks to read the head commit's check-run rollup; maintainer-only:false
# here, so no administration scope is needed.
# and checks + statuses to read the head commit's status rollup (Checks-API
# check runs plus legacy commit statuses); maintainer-only:false here, so no
# administration scope is needed.
permission-contents: write
permission-pull-requests: write
permission-workflows: write
permission-issues: write
permission-checks: read
permission-statuses: read

- name: Ensure the auto-merge label is present
env:
Expand Down Expand Up @@ -245,15 +249,16 @@ jobs:
client-id: ${{ inputs.app-client-id }}
private-key: ${{ secrets.app-private-key }}
# ff-merge moves the ref (contents), reads the PR (pull-requests), closes the
# PR's linked issues (issues), reads the head commit's check-run rollup
# (checks), and needs workflows to move a ref whose commits touch
# .github/workflows/ files; maintainer-only:false here, so no administration
# scope is needed.
# PR's linked issues (issues), reads the head commit's status rollup — Checks-API
# check runs (checks) plus legacy commit statuses (statuses) — and needs workflows
# to move a ref whose commits touch .github/workflows/ files; maintainer-only:false
# here, so no administration scope is needed.
permission-contents: write
permission-pull-requests: write
permission-workflows: write
permission-issues: write
permission-checks: read
permission-statuses: read

- name: Resolve the open PR for this branch
id: pr
Expand Down Expand Up @@ -317,15 +322,16 @@ jobs:
client-id: ${{ inputs.app-client-id }}
private-key: ${{ secrets.app-private-key }}
# ff-merge moves the ref (contents), reads the PR (pull-requests), closes the
# PR's linked issues (issues), reads the head commit's check-run rollup
# (checks), and needs workflows to move a ref whose commits touch
# .github/workflows/ files; maintainer-only:false here, so no administration
# scope is needed.
# PR's linked issues (issues), reads the head commit's status rollup — Checks-API
# check runs (checks) plus legacy commit statuses (statuses) — and needs workflows
# to move a ref whose commits touch .github/workflows/ files; maintainer-only:false
# here, so no administration scope is needed.
permission-contents: write
permission-pull-requests: write
permission-workflows: write
permission-issues: write
permission-checks: read
permission-statuses: read

- name: Resolve the open PR for this branch
id: pr
Expand Down Expand Up @@ -425,12 +431,14 @@ jobs:
private-key: ${{ secrets.app-private-key }}
# ff-merge closes the PR's linked issues (issues) on a successful sweep merge,
# alongside the ref move (contents), the workflow-file allowance (workflows),
# and reading the head commit's check-run rollup (checks).
# and reading the head commit's status rollup — Checks-API check runs (checks)
# plus legacy commit statuses (statuses).
permission-contents: write
permission-pull-requests: write
permission-workflows: write
permission-issues: write
permission-checks: read
permission-statuses: read

- name: Fast-forward merge
# Best effort: ff-merge declines a PR that is not yet approved/green (expected
Expand Down
Loading