-
Notifications
You must be signed in to change notification settings - Fork 1
131 lines (108 loc) · 3.68 KB
/
approve-dependabot.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: "Dependabot: Approve updates"
on:
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests
# could and should work, at least for public repos;
# tracking issue for this action's issue:
# https://github.com/ahmadnassri/action-dependabot-auto-merge/issues/60
pull_request_target:
types:
- opened
- edited
- reopened
- synchronize
- ready_for_review
branches:
- main
jobs:
enable-auto-merge-github-actions:
if: |-
vars.DEPENDABOT_AUTOMERGE == 'true' &&
startsWith(github.head_ref, 'dependabot/github_actions/')
runs-on: [self-hosted, linux]
permissions:
contents: write
pull-requests: write
# Specifically check that dependabot (or another trusted party) created this pull-request, and that it has been labelled correctly.
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Check Repo Owner"
uses: actions/[email protected]
with:
script: |
core.info('Owner: ${{github.repository_owner}}');
- name: "Auto Merge"
uses: alexwilson/[email protected]
with:
github-token: ${{secrets.SOURCE_PUSH_TOKEN}}
merge-method: "MERGE"
enable-auto-merge-npm:
if: |-
vars.DEPENDABOT_AUTOMERGE == 'true' &&
startsWith(github.head_ref, 'dependabot/npm_and_yarn/')
runs-on: [self-hosted, linux]
permissions:
contents: write
pull-requests: write
# Specifically check that dependabot (or another trusted party) created this pull-request, and that it has been labelled correctly.
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Check Repo Owner"
uses: actions/[email protected]
with:
script: |
core.info('Owner: ${{github.repository_owner}}');
- name: "Auto Merge"
uses: alexwilson/[email protected]
with:
github-token: ${{secrets.SOURCE_PUSH_TOKEN}}
merge-method: "MERGE"
auto-approve-dependabot-gitub-actions:
if: |-
vars.DEPENDABOT_AUTOMERGE == 'true' &&
startsWith(github.head_ref, 'dependabot/github_actions/')
runs-on: [self-hosted, linux]
permissions:
contents: write
pull-requests: write
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Check Repo Owner"
uses: actions/[email protected]
with:
script: |
core.info('Owner: ${{github.repository_owner}}');
- name: "Approve"
uses: hmarr/auto-approve-action@v4
with:
github-token: ${{secrets.SOURCE_PUSH_TOKEN}}
auto-approve-dependabot-npm:
if: |-
vars.DEPENDABOT_AUTOMERGE == 'true' &&
startsWith(github.head_ref, 'dependabot/npm_and_yarn/')
runs-on: [self-hosted, linux]
permissions:
contents: write
pull-requests: write
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Check Repo Owner"
uses: actions/[email protected]
with:
script: |
core.info('Owner: ${{github.repository_owner}}');
- name: "Approve"
uses: hmarr/auto-approve-action@v4
with:
github-token: ${{secrets.SOURCE_PUSH_TOKEN}}