Add step to wait for passing checks

* Add step with a script which iterates through all the checks for a commit and waits until there are no pending and no failing checks
* I tried waiting for a success but this didn't work because it's possible to have successful checks and pending/failing checks simultaneously, it was more reliable to wait for the absence of pending/failing checks then the presence of successful checks
* Exclude the `wait_for_checks` check or else it loops until the max retries are reached (I learned this the hard way)
* Add `wait_for_checks` to the auto_approve_and_merge step's need attribute so it will only run once the `wait_for_checks` has succeeded

Author: sarahseewhy

.github/workflows/dependabot-auto-approve.yml

@@ -20,9 +20,65 @@ jobs:
       - if: "!contains(steps.dependabot-metadata.outputs.package-ecosystem, 'npm') && (steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch')"
         id: check_if_allowed_dependency
         run: echo "is_allowed_dependency=1" >> "$GITHUB_OUTPUT"
+  wait_for_checks:
+    runs-on: ubuntu-latest
+    needs: [ validate_dependabot_opened_this_PR, validate_this_is_an_allowed_dependency ]
+    steps:
+      - name: Wait for required checks to pass
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          echo "Waiting for all required checks to pass on commit $SHA..."
+
+          MAX_RETRIES=30
+          RETRY_DELAY=10
+          ATTEMPT=0
+
+          while [ $ATTEMPT -lt $MAX_RETRIES ]; do
+            echo "Attempt $((ATTEMPT+1))/$MAX_RETRIES"
+
+            # Get all check runs for the commit
+            RESPONSE=$(curl -s -H "Authorization: token $GH_TOKEN" \
+              "https://api.github.com/repos/$REPO/commits/$SHA/check-runs")
+
+            # Exclude self (wait_for_checks)
+            EXCLUDED_CHECK="wait_for_checks"
+
+            echo "Ignoring ${EXCLUDED_CHECK}"
+
+            # Extract conclusions
+            CONCLUSIONS=$(echo "$RESPONSE" | jq -r '.check_runs[] | select(.name != "wait_for_checks") | .name + ":" + (.status + "/" + (.conclusion // "none"))')
+
+            echo "$CONCLUSIONS"
+
+            # Are there any in_progress or queued?
+            PENDING=$(echo "$RESPONSE" | jq -r --arg exclude "$EXCLUDED_CHECK" '[.check_runs[] | select(.name != $exclude and .status != "completed")] | length')
+
+            # Are all completed and successful?
+            FAILED=$(echo "$RESPONSE" | jq -r --arg exclude "$EXCLUDED_CHECK" '[.check_runs[] | select(.name != $exclude and .status == "completed" and .conclusion != "success")] | length')
+
+            if [ "$PENDING" -eq 0 ] && [ "$FAILED" -eq 0 ]; then
+              echo "All checks completed successfully."
+              exit 0
+            fi
+
+            if [ "$FAILED" -gt 0 ]; then
+              echo "One or more checks failed."
+              exit 1
+            fi
+
+            echo "Some checks still pending. Waiting $RETRY_DELAY seconds..."
+            sleep $RETRY_DELAY
+            ATTEMPT=$((ATTEMPT + 1))
+          done
+
+          echo "Timed out waiting for checks to complete."
+          exit 1
   auto_approve_and_merge:
     runs-on: ubuntu-latest
-    needs: [validate_dependabot_opened_this_PR, validate_this_is_an_allowed_dependency]
+    needs: [validate_dependabot_opened_this_PR, validate_this_is_an_allowed_dependency, wait_for_checks]
     if: ${{ needs.validate_this_is_an_allowed_dependency.outputs.is_allowed_dependency == 1 }}
     steps:
       - uses: actions/checkout@v4