auto-merge PRs for security critical patches/minor versions

2025-03-21 16:20:04 -07:00 · 2025-03-21 16:20:04 -07:00 · 65292e4a38
commit 65292e4a38
parent edd7d9b1e5
1 changed files with 51 additions and 27 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,32 +1,56 @@
 version: 2
 updates:
-# branch - master
- package-ecosystem: "maven"
-  directory: "/"
-  labels:
-    - "dependencies"
-    - "v3.x"
-  target-branch: "master"
-  schedule:
-    interval: "weekly"
+  # branch - master
+  - package-ecosystem: "maven"
+    directory: "/"
+    labels:
+      - "dependencies"
+      - "v3.x"
+    target-branch: "master"
+    schedule:
+      interval: "weekly"

-# branch - v2.x
- package-ecosystem: "maven"
-  directory: "/"
-  labels:
-    - "dependencies"
-    - "v2.x"
-  target-branch: "v2.x"
-  schedule:
-    interval: "weekly"
+  # branch - v2.x
+  - package-ecosystem: "maven"
+    directory: "/"
+    labels:
+      - "dependencies"
+      - "v2.x"
+    target-branch: "v2.x"
+    schedule:
+      interval: "weekly"

-# branch - v1.x
- package-ecosystem: "maven"
-  directory: "/"
-  labels:
-    - "dependencies"
-    - "v1.x"
-  target-branch: "v1.x"
-  schedule:
-    interval: "weekly"
+  # branch - v1.x
+  - package-ecosystem: "maven"
+    directory: "/"
+    labels:
+      - "dependencies"
+      - "v1.x"
+    target-branch: "v1.x"
+    schedule:
+      interval: "weekly"

+  #Dependabot auto-merge PRs for patch/minor versions that are related to critical vulnerabilities
+  - name: Dependabot auto-merge
+    on: pull_request
+    permissions:
+      pull-requests: write
+      contents: write
+    jobs:
+      dependabot:
+        runs-on: ubuntu-latest #needed?
+        if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' #edit?
+        steps:
+          - name: Fetch Dependabot metadata
+            id: dependabot-metadata
+            uses: dependabot/fetch-metadata@v2
+            with:
+              alert-lookup: true
+              github-token: "${{ secrets.PAT_TOKEN }}"
+          - name: Enable auto-merge for security critical Dependabot PRs
+            #if: ${{contains(steps.dependabot-metadata.outputs.dependency-names, 'rails') && steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}}
+            if: steps.dependabot-metadata.outputs.cvss != '0'
+            run: gh pr merge --auto --merge "$PR_URL"
+            env:
+              PR_URL: ${{github.event.pull_request.html_url}}
+              GH_TOKEN: ${{secrets.GITHUB_TOKEN}}