version: 2
updates:
  # branch - master
  - package-ecosystem: "maven"
    directory: "/"
    labels:
      - "dependencies"
      - "v3.x"
    target-branch: "master"
    schedule:
      interval: "weekly"

  # branch - v2.x
  - package-ecosystem: "maven"
    directory: "/"
    labels:
      - "dependencies"
      - "v2.x"
    target-branch: "v2.x"
    schedule:
      interval: "weekly"

  # branch - v1.x
  - package-ecosystem: "maven"
    directory: "/"
    labels:
      - "dependencies"
      - "v1.x"
    target-branch: "v1.x"
    schedule:
      interval: "weekly"

#Dependabot auto-merge PRs for patch/minor versions that are related to critical vulnerabilities (maven)
name: Dependabot auto-merge
on: pull_request
permissions:
  pull-requests: write
  contents: write
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v2
      - name: Enable auto-merge for Dependabot PRs
        if: steps.dependabot-metadata.outputs.cvss != '0'
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}