Add workflows for automerge and dependabot autoapprove

lehmanmj · lehmanmj · commit 5bdd66fe8b8a · 2025-02-05T14:09:39.000-08:00
diff --git a/.github/workflows/automerge-approved-prs.yml b/.github/workflows/automerge-approved-prs.yml
@@ -0,0 +1,32 @@
+on:
+  pull_request_review:
+    types: submitted
+
+jobs:
+  approved_pr:
+    name: Automerge approved PRs
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+    if: ${{ github.event.review.state == 'approved' && github.repository == 'awsdocs/aws-doc-sdk-examples' && (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.user.login == 'aws-sdk-osds') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::206735643321:role/ConfigureAwsCredentialsPackageRole
+          role-duration-seconds: 900
+          role-session-name: SecretsManagerFetch
+      - name: Get bot user token
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          parse-json-secrets: true
+          secret-ids: |
+            OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
+      - name: Enable PR automerge
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ env.OSDS_ACCESS_TOKEN }}
diff --git a/.github/workflows/dependabot-autoapprove.yml b/.github/workflows/dependabot-autoapprove.yml
@@ -0,0 +1,37 @@
+name: Dependabot auto-approve
+on: pull_request
+permissions:
+  pull-requests: write
+  id-token: write
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'awsdocs/aws-doc-sdk-examples' }}
+    steps:
+      - name: Get Metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v2
+      - uses: actions/checkout@v4
+        name: Clone repo
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: arn:aws:iam::206735643321:role/ConfigureAwsCredentialsPackageRole
+          role-duration-seconds: 900
+      - name: Get bot user token
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          parse-json-secrets: true
+          secret-ids: |
+            OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
+      - name: Approve PR if not already approved
+        run: |
+          gh pr checkout "$PR_URL"
+          if [ "$(gh pr status --json reviewDecision - q .currentBranch.reviewDecision)" != "APPROVED" ]; then
+            gh pr review "$PR_URL" --approve
+          else echo "PR already approved"
+          fi
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ env.OSDS_ACCESS_TOKEN }}
