@@ -3,57 +3,67 @@ name: auto-merge
33
44" on "
55 pull_request :
6+ types : [opened, synchronize, reopened, labeled, unlabeled]
67
78permissions :
89 contents : write
910 pull-requests : write
1011
12+ # Cancel in-progress runs for the same PR (only latest should merge)
13+ concurrency :
14+ group : auto-merge-${{ github.event.pull_request.number }}
15+ cancel-in-progress : true
16+
1117jobs :
12- dependabot :
18+ auto-merge :
1319 runs-on : ubuntu-latest
14- # Only run on Dependabot PRs
15- if : github.event.pull_request.user.login == 'dependabot[bot]'
20+ # Run for dependabot, pre-commit-ci, or PRs with auto-merge label
21+ if : >-
22+ github.event.pull_request.user.login == 'dependabot[bot]' ||
23+ github.event.pull_request.user.login == 'pre-commit-ci[bot]' ||
24+ contains(github.event.pull_request.labels.*.name, 'auto-merge')
1625steps :
26+ # Fetch Dependabot metadata (only runs for dependabot PRs)
1727 - name : Fetch Dependabot metadata
1828 id : metadata
29+ if : github.event.pull_request.user.login == 'dependabot[bot]'
1930 uses : dependabot/fetch-metadata@v2
2031 with :
2132 github-token : " ${{ secrets.GITHUB_TOKEN }}"
2233
23- # Wait for all CI checks to pass before merging
24- - name : Wait for CI checks to pass
25- if : >-
26- steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
27- steps.metadata.outputs.update-type == 'version-update:semver-minor'
28- run : gh pr checks "$PR_URL" --watch --fail-fast
34+ # Determine if PR is eligible for auto-merge
35+ - name : Check eligibility
36+ id : eligible
37+ run : |
38+ if [[ "$ACTOR" == "dependabot[bot]" ]]; then
39+ # Dependabot: only auto-merge patch and minor updates
40+ if [[ "$UPDATE_TYPE" == "version-update:semver-patch" ]] ||
41+ [[ "$UPDATE_TYPE" == "version-update:semver-minor" ]]; then
42+ echo "result=true" >> "$GITHUB_OUTPUT"
43+ else
44+ echo "result=false" >> "$GITHUB_OUTPUT"
45+ echo "Skipping: Dependabot major update requires manual review"
46+ fi
47+ else
48+ # pre-commit-ci and auto-merge labeled PRs are always eligible
49+ echo "result=true" >> "$GITHUB_OUTPUT"
50+ fi
2951env :
30- PR_URL : ${{ github.event.pull_request.html_url }}
31- GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
52+ ACTOR : ${{ github.event.pull_request.user.login }}
53+ UPDATE_TYPE : ${{ steps.metadata.outputs.update-type }}
3254
33- # Merge after CI passes
34- - name : Merge Dependabot PR
35- if : >-
36- steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
37- steps.metadata.outputs.update-type == 'version-update:semver-minor'
38- run : gh pr merge --squash "$PR_URL"
39- env :
40- PR_URL : ${{ github.event.pull_request.html_url }}
41- GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
42-
43- pre-commit-ci :
44- runs-on : ubuntu-latest
45- # Only run on pre-commit-ci PRs
46- if : github.event.pull_request.user.login == 'pre-commit-ci[bot]'
47- steps :
48- # Wait for all CI checks to pass before merging
49- - name : Wait for CI checks to pass
50- run : gh pr checks "$PR_URL" --watch --fail-fast
55+ # Wait for required CI checks (--required avoids deadlock with this workflow)
56+ - name : Wait for CI checks
57+ if : steps.eligible.outputs.result == 'true'
58+ timeout-minutes : 30
59+ run : gh pr checks "$PR_URL" --watch --fail-fast --required
5160 env :
5261 PR_URL : ${{ github.event.pull_request.html_url }}
5362 GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
5463
5564 # Merge after CI passes
56- - name : Merge pre-commit-ci PR
65+ - name : Merge PR
66+ if : steps.eligible.outputs.result == 'true'
5767 run : gh pr merge --squash "$PR_URL"
5868 env :
5969 PR_URL : ${{ github.event.pull_request.html_url }}
0 commit comments