feat(dependabot-auto-triage): close PRs related to dismissed alerts (#1161)

* feat(dependabot-auto-triage): close PRs related to dismissed alerts

* feat(dependabot-auto-triage): make close-prs an optional input

* feat(dependabot-auto-triage): add tests for close-prs input

* chore(dependabot-auto-triage): document close-prs input

* chore(dependabot-auto-triage): run prettier

* Add check to skip PRs that are associated with valid alerts

* Run prettier

* Fix ESLint

Author: guicaulada

actions/dependabot-auto-triage/README.md

@@ -60,6 +60,7 @@ jobs:
             ksonnet/lib/argo-workflows/charts/**/*.json
           dismissal-reason: "not_used"
           dismissal-comment: "These dependencies are not used in production and pose no risk"
+          close-prs: "true" # Optional: close associated Dependabot PRs
 ```
 
 <!-- x-release-please-end-version -->
@@ -73,12 +74,15 @@ jobs:
 | `paths`             | Multi-line list of glob patterns to match manifest paths to dismiss                                               | Yes      | N/A                                                   |
 | `dismissal-comment` | Default comment to add when dismissing alerts                                                                     | No       | `Auto-dismissed based on manifest path configuration` |
 | `dismissal-reason`  | Default reason for dismissal (options: `fix_started`, `inaccurate`, `no_bandwidth`, `not_used`, `tolerable_risk`) | No       | `not_used`                                            |
+| `close-prs`         | Whether to close associated Dependabot pull requests before dismissing alerts                                     | No       | `false`                                               |
 
 ### How It Works
 
 1. The action fetches all open Dependabot alerts for the repository
 2. For each alert, it checks if the manifest path matches any of the provided glob patterns
-3. If the path matches a pattern, it dismisses the alert with the specified reason and comment
+3. If `close-prs` is enabled, it fetches associated pull requests for matching alerts
+4. For each matching alert, it optionally closes the associated pull request first (if `close-prs` is true)
+5. It then dismisses the alert with the specified reason and comment
 
 ### Glob Pattern Syntax
 
@@ -100,6 +104,7 @@ To use this action, you need:
 1. A GitHub App with the following permissions:
    - Repository permissions:
      - **Dependabot alerts**: Read & Write
+     - **Pull requests**: Read & Write (only required if `close-prs` is set to `true`)
 
 2. The GitHub App needs to be installed on your repository or organization
 

actions/dependabot-auto-triage/action.yml

@@ -23,6 +23,10 @@ inputs:
     required: false
     default: "not_used"
     # Options: 'fix_started', 'inaccurate', 'no_bandwidth', 'not_used', 'tolerable_risk'
+  close-prs:
+    description: "Whether to close associated pull requests when dismissing alerts"
+    required: false
+    default: "false"
 
 runs:
   using: "composite"
@@ -47,6 +51,7 @@ runs:
         INPUT_PATHS: ${{ inputs.paths }}
         INPUT_DISMISSAL_COMMENT: ${{ inputs.dismissal-comment }}
         INPUT_DISMISSAL_REASON: ${{ inputs.dismissal-reason }}
+        INPUT_CLOSE_PRS: ${{ inputs.close-prs }}
         NODE_ENV: "production"
       run: |
         bun run src/index.ts

actions/dependabot-auto-triage/package.json

@@ -11,6 +11,7 @@
     "test": "bun test"
   },
   "dependencies": {
+    "@octokit/graphql": "^9.0.1",
     "@octokit/request-error": "7.0.0",
     "@octokit/rest": "22.0.0",
     "minimatch": "10.0.3"