From 3585a90c0342e5ef36aa53bd0537ccd787fd27c1 Mon Sep 17 00:00:00 2001
From: skye rogers <skyero@amazon.com>
Date: Mon, 24 Mar 2025 13:24:03 -0700
Subject: [PATCH] move actions.yml additions to maven.yml

---
 .github/workflows/actions.yml | 32 +++++++++++++++++++++++---------
 .github/workflows/maven.yml   | 21 ++++++++++++++++++++-
 2 files changed, 43 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml
index 17ae6394..dd3cb020 100644
--- a/.github/workflows/actions.yml
+++ b/.github/workflows/actions.yml
@@ -1,13 +1,27 @@
-name: Comment when opened
-on:
-  issues:
-    types:
-      - opened
+name: Dependabot auto-merge
+on: pull_request
+
+permissions:
+  pull-requests: write
+  contents: write
+
 jobs:
-  comment:
+  dependabot:
+    permissions:
+      pull-requests: read
     runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
     steps:
-      - run: gh issue comment $ISSUE --body "Thank you for opening this issue!"
+      - name: Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          alert-lookup: true
+          github-token: "${{ secrets.PAT_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        # if: (steps.dependabot-metadata.outputs.cvss == true && update_types == 'minor' || 'patch')
+        if: update_types == 'minor' || 'patch'
+        run: gh pr merge --auto --merge "$PR_URL"
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          ISSUE: ${{ github.event.issue.html_url }}
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
\ No newline at end of file
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 1a325e1b..59004314 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -36,4 +36,23 @@ jobs:
           java-version: '8'
           distribution: 'corretto'
       - name: Check backwards compatibility of changes
-        run: .github/scripts/backwards_compatibility_check.sh
\ No newline at end of file
+        run: .github/scripts/backwards_compatibility_check.sh
+  auto-merge-vulnerable-PRs:
+    permissions:
+      pull-requests: read
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
+    steps:
+      - name: Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          alert-lookup: true
+          github-token: "${{ secrets.PAT_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        # if: (steps.dependabot-metadata.outputs.cvss == true && update_types == 'minor' || 'patch')
+        if: update_types == 'minor' || 'patch'
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
\ No newline at end of file