Add auto merge workflow

Author: jessemyers-lettuce

.github/actions/github/app-token/action.yaml

@@ -0,0 +1,75 @@
+name: 'Generate GitHub App token'
+description: 'Generate an API token for a GitHub app'
+
+inputs:
+  app_id:
+    description: 'The app id'
+    type: string
+  installation_id:
+    description: 'The app installation id'
+    type: string
+  private_key:
+    description: 'The app private key in PEM format'
+    type: string
+outputs:
+  token:
+     description: "The generated GitHub App token"
+     value: ${{ steps.token.outputs.value }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Create temporary directory
+      id: tempdir
+      shell: bash
+      run: |
+        tempdir=$(mktemp -d)
+        echo "tempdir=${tempdir}" >> $GITHUB_OUTPUT
+
+    - name: Create JWT
+      id: jwt
+      shell: bash
+      run: |
+        DIR="${{ steps.tempdir.outputs.tempdir }}"
+        python3 -m venv ${DIR}/.venv
+        source ${DIR}/.venv/bin/activate
+        pip install --quiet --upgrade pip
+        pip install --quiet jwt
+
+        cat > ./create-jwt.py << EOF
+        #!/usr/bin/env python3
+        from time import time
+        from os import environ
+        from sys import argv
+
+        from jwt import JWT, jwk_from_pem
+
+        private_key, app_id, now = argv[1], argv[2], int(time())
+        signing_key = jwk_from_pem(private_key.encode("utf-8"))
+        print(JWT().encode(dict(iat=now, exp=now + 600, iss=app_id), signing_key, alg="RS256"))
+        EOF
+
+        chmod 755 ./create-jwt.py
+
+        VALUE=$(./create-jwt.py "${{ inputs.private_key }}" "${{ inputs.app_id }}")
+        echo "::add-mask::${VALUE}"
+        echo "value=${VALUE}" >> "$GITHUB_OUTPUT"
+
+    - name: Create token
+      id: token
+      shell: bash
+      run: |
+        TOKEN=$(curl --silent --request POST \
+          --url "https://api.github.com/app/installations/${{ inputs.installation_id }}/access_tokens" \
+          --header "Accept: application/vnd.github+json" \
+          --header "Authorization: Bearer ${{ steps.jwt.outputs.value }}" \
+          --header "X-GitHub-Api-Version: 2022-11-28" \
+          | jq .token -r)
+        echo "::add-mask::${TOKEN}"
+        echo "value=${TOKEN}" >> "$GITHUB_OUTPUT"
+
+    - name: Delete temporary directory
+      if: always()
+      shell: bash
+      run: |
+        rm -rf ${{ steps.tempdir.outputs.tempdir }}

.github/workflows/auto-merge.yaml

@@ -0,0 +1,28 @@
+name: Auto Merge Bot PRs
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source
+        uses: actions/checkout@v4
+
+      - name: Create app token
+        id: create-app-token
+        uses: ./.github/actions/github/app-token
+        with:
+          app_id: ${{ vars.LETTUCE_BOT_APP_ID }}
+          installation_id: ${{ vars.LETTUCE_BOT_INSTALLATION_ID }}
+          private_key: ${{ secrets.LETTUCE_BOT_PRIVATE_KEY }}
+
+      - name: Auto Merge Lettuce Bot
+        if: ${{ github.actor == 'lettuce-bot[bot]' || github.actor == 'renovate[bot]' }}
+        run: |
+          gh pr merge --repo ${{ github.repository }} --auto --merge ${{ github.event.number }}
+        env:
+          GH_TOKEN: ${{ steps.create-app-token.outputs.token }}