chore: make sure auto-approve and automerge work for Dependabot

.github/dependabot.yml

@@ -3,27 +3,40 @@ updates:
   - package-ecosystem: "npm" 
     directory: "/"
     schedule:
-        interval: "weekly"
+      interval: "weekly"
     labels:
-        - "dependencies"
-        - "automerge"
-        - "auto-approve"
+      - "dependencies"
+      - "automerge"
+      - "auto-approve"
     open-pull-requests-limit: 5
     ignore:
-        - dependency-name: "@types/node"
+      - dependency-name: "@types/node"
+      # For providers, ignore all patch updates for version updates only
+      - dependency-name: "@cdktf/provider-aws"
+        update-types: ["version-update:semver-patch"]
+      - dependency-name: "@cdktf/provider-local"
+        update-types: ["version-update:semver-patch"]
     groups:
-        cdktf:
-            patterns:
-                - "cdktf"
-                - "cdktf-cli"
-                - "@cdktf/*"
-        jest:
-            patterns:
-                - "jest"
-                - "ts-jest"
-                - "@types/jest"
-                - "@jest/*"
-
-
-
-
+      cdktf:
+        patterns:
+          - "cdktf"
+          - "cdktf-cli"
+          - "@cdktf/*"
+      jest:
+        patterns:
+          - "jest"
+          - "ts-jest"
+          - "@types/jest"
+          - "@jest/*"
+  - package-ecosystem: npm
+    versioning-strategy: lockfile-only
+    directory: /frontend/code
+    schedule:
+      interval: daily
+    labels:
+      - auto-approve
+      - automerge
+      - dependencies
+      - security
+    # Disable version updates for npm dependencies, only use Dependabot for security updates
+    open-pull-requests-limit: 0    

.github/workflows/auto-approve.yml

@@ -21,12 +21,12 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
       - name: Auto-approve PRs by other users as team-tf-cdk
-        if: github.event.pull_request.user.login != 'team-tf-cdk'
+        if: github.event.pull_request.user.login != 'team-tf-cdk' && github.actor != 'dependabot[bot]'
         env:
-          GH_TOKEN: ${{ secrets.TEAM_TF_CDK }} 
+          GH_TOKEN: ${{ secrets.TEAM_TF_CDK }}
         run: gh pr review ${{ github.event.pull_request.number }} --approve
-      - name: Auto-approve PRs by team-tf-cdk as github-actions[bot]
-        if: github.event.pull_request.user.login == 'team-tf-cdk'
+      - name: Auto-approve PRs by team-tf-cdk or Dependabot as github-actions[bot]
+        if: github.event.pull_request.user.login == 'team-tf-cdk' || github.actor == 'dependabot[bot]'
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token does not need to be replaced
-        run: gh pr review ${{ github.event.pull_request.number }} --approve
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh pr review ${{ github.event.pull_request.number }} --approve

.github/workflows/automerge.yml

@@ -13,11 +13,18 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      pull-requests: write
     if: contains(github.event.pull_request.labels.*.name, 'automerge') && github.event.pull_request.draft == false
     steps:
       - name: Checkout
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
-      - name: Turn on automerge for this PR
+      - name: Turn on automerge for this PR by Dependabot
+        if: github.actor == 'dependabot[bot]'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh pr merge --auto --squash ${{ github.event.pull_request.number }}
+      - name: Turn on automerge for this PR by users other than Dependabot
+        if: github.actor != 'dependabot[bot]'
         env:
-          GH_TOKEN: ${{ secrets.TEAM_TF_CDK }}
+          GH_TOKEN: ${{ secrets.TEAM_TF_CDK }}
+        run: gh pr merge --auto --squash ${{ github.event.pull_request.number }}