dependabot-automerge.yaml

name: Dependabot auto merger

on:
  workflow_call:
    inputs:
      packages-minor-autoupdate:
        description: An array of packages to automerge
        default: ""
        required: false
        type: string
      repository-merge-method:
        description: The merge method to use (specify what is enabled for your repository out of merge, squash, or rebase)
        default: merge
        required: false
        type: string
    secrets:
      envPAT:
        required: false

permissions:
  pull-requests: write
  contents: write

jobs:
  review-dependabot-pr:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    env:
      PR_URL: ${{github.event.pull_request.html_url}}
      GITHUB_TOKEN: ${{secrets.envPAT || secrets.GITHUB_TOKEN}}
    steps:
      - name: Generate token
        id: generate-token
        uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # v1
        continue-on-error: true
        with:
          app_id: ${{ secrets.DEPENDABOTREVIEWER_ID }}
          private_key: ${{ secrets.DEPENDABOTREVIEWER_PEM }}
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@8348ea7f5d949b08c7f125a44b569c9626b05db3 # v1.7.0
      - name: Enable auto-merge for Dependabot PRs
        run: gh pr merge --auto --${MERGE_METHOD} "$PR_URL"
        env:
          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token || secrets.envPAT || secrets.GITHUB_TOKEN}}
          MERGE_METHOD: ${{ inputs.repository-merge-method }}
      - name: Approve patch updates
        if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' }}
        run: gh pr review $PR_URL --approve -b "**Approving** patch update"
      - name: Approve minor updates of development dependencies
        if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor' && steps.dependabot-metadata.outputs.dependency-type == 'direct:development'}}
        run: gh pr review $PR_URL --approve -b "**Approving** minor update to a development dependency"
      - name: Approve minor updates of allowlisted production dependencies
        if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor' && steps.dependabot-metadata.outputs.dependency-type == 'direct:production' && contains(fromJSON(inputs.packages-minor-autoupdate), steps.dependabot-metadata.outputs.dependency-names) }}
        run: gh pr review $PR_URL --approve -b "**Approving** minor update to an allowlisted production dependency"
      - name: Comment on minor updates of non-allowlisted production dependencies
        if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor' && steps.dependabot-metadata.outputs.dependency-type == 'direct:production' && !contains(fromJSON(inputs.packages-minor-autoupdate), steps.dependabot-metadata.outputs.dependency-names) }}
        run: |
          gh pr comment $PR_URL --body "**Not approving** minor update to a non-allowlisted production dependency"
          gh label create "requires-manual-approval" --repo "$GITHUB_REPOSITORY" || true
          gh pr edit $PR_URL --add-label "requires-manual-approval"
      - name: Comment on major updates of production dependencies
        if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:production' }}
        run: |
          gh pr comment $PR_URL --body "**Not approving** major update to a production dependency"
          gh label create "requires-manual-approval" --repo "$GITHUB_REPOSITORY" || true
          gh pr edit $PR_URL --add-label "requires-manual-approval"