1+ name : Auto approve & merge Dependabot and Renovate PRs
2+
3+ on :
4+ pull_request :
5+ types : [opened, edited, synchronize, reopened, labeled]
6+ branches : [master]
7+
8+ permissions :
9+ contents : write
10+ pull-requests : write
11+
12+ jobs :
13+ auto-approve-merge :
14+ runs-on : ubuntu-latest
15+ if : (github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]') && github.repository == 'internetee/whois'
16+ steps :
17+ - name : Checkout repository
18+ uses : actions/checkout@v5
19+
20+ - name : Install GitHub CLI
21+ run : |
22+ curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
23+ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
24+ sudo apt update
25+ sudo apt install gh
26+ name : Auto approve PR
27+ uses : hmarr/auto-approve-action@v3
28+ with :
29+ github-token : ${{ secrets.GITHUB_TOKEN }}
30+
31+ - name : Fetch Dependabot metadata
32+ if : github.actor == 'dependabot[bot]'
33+ id : metadata
34+ uses : dependabot/fetch-metadata@v1
35+ with :
36+ github-token : ${{ secrets.GITHUB_TOKEN }}
37+
38+ - name : Check if PR should be auto-merged
39+ id : check_auto_merge
40+ run : |
41+ if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
42+ if [[ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-patch" ]]; then
43+ echo "auto_merge=true" >> $GITHUB_OUTPUT
44+ echo "Auto-merge: Dependabot patch update detected"
45+ else
46+ echo "auto_merge=false" >> $GITHUB_OUTPUT
47+ echo "Auto-merge: Dependabot non-patch update, skipping"
48+ fi
49+ elif [ "${{ github.actor }}" == "renovate[bot]" ]; then
50+ # Check if PR has patch label (set by renovate.json configuration)
51+ # Extract label names from the labels array
52+ LABEL_NAMES=$(echo '${{ toJson(github.event.pull_request.labels) }}' | jq -r '.[].name' | tr '\n' ' ')
53+ if [[ "$LABEL_NAMES" == *"patch"* ]] || [[ "$LABEL_NAMES" == *"bundler"* ]] || [[ "$LABEL_NAMES" == *"ruby-version"* ]] || [[ "$LABEL_NAMES" == *"github-actions"* ]]; then
54+ echo "auto_merge=true" >> $GITHUB_OUTPUT
55+ echo "Auto-merge: Renovate patch update detected (label-based): $LABEL_NAMES"
56+ else
57+ echo "auto_merge=false" >> $GITHUB_OUTPUT
58+ echo "Auto-merge: Renovate non-patch update, skipping. Labels: $LABEL_NAMES"
59+ fi
60+ else
61+ echo "auto_merge=false" >> $GITHUB_OUTPUT
62+ echo "Auto-merge: Unknown actor, skipping"
63+ fi
64+ shell : bash
65+
66+ - name : Wait for CI checks
67+ if : steps.check_auto_merge.outputs.auto_merge == 'true'
68+ uses : lewagon/wait-on-check-action@v1.3.4
69+ with :
70+ ref : ${{ github.event.pull_request.head.sha }}
71+ repo-token : ${{ secrets.GITHUB_TOKEN }}
72+ wait-interval : 30
73+ running-workflow-name : ' Test and Coverage'
74+
75+ - name : Auto-merge PR
76+ if : steps.check_auto_merge.outputs.auto_merge == 'true'
77+ run : |
78+ echo "Attempting to auto-merge PR #${{ github.event.pull_request.number }}"
79+ gh pr merge --auto --merge ${{ github.event.pull_request.number }} || {
80+ echo "Auto-merge failed, but continuing..."
81+ exit 0
82+ }
83+ env :
84+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
85+
86+ - name : Send Mattermost notification
87+ if : steps.check_auto_merge.outputs.auto_merge == 'true'
88+ run : |
89+ TIMESTAMP=$(date -u +"%Y-%m-%d %H:%M UTC")
90+ curl -X POST -H "Authorization: Bearer ${{ secrets.MATTERMOST_BOT_TOKEN }}" \
91+ -H "Content-Type: application/json" \
92+ -d "{\"channel_id\":\"${{ secrets.MATTERMOST_CHANNEL_ID }}\",\"message\":\"[${{ github.repository }}] PR #${{ github.event.pull_request.number }}: \\\"${{ github.event.pull_request.title }}\\\" was auto-merged by ${{ github.actor }}.\nUpdate type: ${{ steps.metadata.outputs.update-type || 'patch' }}\nMerged at: $TIMESTAMP\nLink: ${{ github.event.pull_request.html_url }}\"}" \
93+ https://mattermost.example.com/api/v4/posts
0 commit comments