-
Notifications
You must be signed in to change notification settings - Fork 1
57 lines (50 loc) · 2.34 KB
/
Copy pathautomerge.yml
File metadata and controls
57 lines (50 loc) · 2.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Dependabot auto-merge
# Hardened against the CVE-2025-61671 pattern (and similar):
# * Trust the PR author via `github.event.pull_request.user.login` only as a
# coarse gate. The actual security boundary is the official
# dependabot/fetch-metadata action, which signs over the PR contents and
# exposes update-type / dependency metadata in a tamper-resistant way.
# * Only `version-update:semver-patch`, `version-update:semver-security`,
# and indirect (lockfile-resolution) bumps are eligible for `--merge` —
# indirect updates carry no update-type metadata but stay within the
# constraints declared in the manifest. Direct minor and major bumps get
# `--approve` only; a human must hit the merge button.
# * `gh pr merge --auto --squash` lets GitHub gate the actual merge on the
# repository's required status checks (configured via branch protection),
# so we do NOT need to wait for CI inside this workflow.
# * The merge step authenticates with AUTOMERGE_PAT (not GITHUB_TOKEN):
# pushes made with GITHUB_TOKEN do not trigger workflows, so the merged
# commit would never get a CI build or deploy.
'on':
pull_request_target:
types: [opened, synchronize, reopened]
permissions:
contents: write
pull-requests: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
automerge:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Fetch Dependabot metadata
id: meta
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Approve PR (all update types)
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr review --approve "$PR_URL"
- name: Enable auto-merge (patch, security, indirect)
if: |
steps.meta.outputs.update-type == 'version-update:semver-patch' ||
steps.meta.outputs.update-type == 'version-update:semver-security' ||
steps.meta.outputs.dependency-type == 'indirect'
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.AUTOMERGE_PAT }}
run: gh pr merge --auto --squash "$PR_URL"