openid-connect-provider-debugger/.github/workflows/automerge.yml at c151709a521fa43e1fa1200f6cf41eb2b9ff37db · leplusorg/openid-connect-provider-debugger · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
---
name: "Dependabot auto-merge"
on: pull_request

permissions: {}

jobs:
  automerge:
    permissions:
      # Required to merge the PR
      contents: write
      # Required to merge the PR if it modifies a workflow
      actions: write
      # Required to approve the PR
      pull-requests: write
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    steps:
      - name: Enable auto-merge for Dependabot PRs
        shell: bash
        run: |
          set -euo pipefail
          IFS=$'\n\t'
          # Checking the PR title is a poor substitute for the actual PR changes
          # but as long as this is used only with dependabot PRs,
          # it should be safe to assume that the title is not misleading.
          regexp='[Bb]ump .* from [0-9]+\.[0-9]+(\.[0-9]+)?(\.[0-9]+)?(\-[a-z]+)? to [0-9]+\.[0-9]+(\.[0-9]+)?(\.[0-9]+)?(\-[a-z]+)?( in .*)?$'
          if ! [[ "${PR_TITLE}" =~ ${regexp} ]] ; then
            echo 'Non-semver upgrade, needs manual review.'
          elif [ "${BASH_REMATCH[3]}" != "${BASH_REMATCH[6]}" ] ; then
            echo 'Version suffixes do not match, needs manual review.'
          else
            echo 'Automated review approval.'
            gh pr review --approve "${PR_URL}"
          fi
          gh pr merge --auto --squash "${PR_URL}"
        env:
          PR_TITLE: ${{github.event.pull_request.title}}
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}