Skip to content

Bump actions/dependency-review-action from 4.2.5 to 4.3.2 #43

Bump actions/dependency-review-action from 4.2.5 to 4.3.2

Bump actions/dependency-review-action from 4.2.5 to 4.3.2 #43

name: "Approve Dependabot PR's"
on:
workflow_dispatch:
pull_request:
workflow_call:
secrets:
GH_TOKEN:
required: true
permissions:
contents: read
jobs:
dependabot-check:
runs-on: ubuntu-latest
if: always() # this job needs to run because we use it as a required workflow
permissions:
contents: read
pull-requests: read
outputs:
ecosystem: ${{ steps.metadata.outputs.package-ecosystem }}
update-type: ${{ steps.metadata.outputs.update-type }}
token: ${{ steps.get-token.outputs.token }}
steps:
- name: Get correct token to use
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
id: get-token
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# shell script to use either secrets.GH_TOKEN or secrets.GITHUB_TOKEN depending on which is set
if [[ $GH_TOKEN ]]; then
echo "Using GH_TOKEN"
echo "token=$GH_TOKEN" > $GITHUB_OUTPUT
else
echo "Using GITHUB_TOKEN"
echo "token=$GITHUB_TOKEN" > $GITHUB_OUTPUT
fi
- name: Load Dependabot metadata
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
id: metadata
uses: dependabot/fetch-metadata@0fb21704c18a42ce5aa8d720ea4b912f5e6babef #v2.0.0
with:
github-token: ${{ steps.get-token.outputs.token }}
- name: Show Dependabot metadata info
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
run: |
echo "Found ecosystem: [${{ steps.metadata.outputs.package-ecosystem }}]"
echo "Found update-type: [${{ steps.metadata.outputs.update-type }}]"
- name: Empty step so the job has something to do as it is used as a required workflow
run: echo "Not happy about it, but the job has to run"
dependabot-actions:
runs-on: ubuntu-latest
needs: dependabot-check
permissions:
contents: write
pull-requests: write
actions: write #the updates for this ecosystem will push to the .github/workflows folder
steps:
- name: Show needs values
run: |
echo "Got eecosystem: [${{ needs.dependabot-check.outputs.ecosystem }}]"
echo "Got update-type: [${{ needs.dependabot-check.outputs.update-type }}]"
- name: Approve the PR
if: (github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions') && (needs.dependabot-check.outputs.update-type == 'version-update:semver-minor' || needs.dependabot-check.outputs.update-type == 'version-update:semver-patch')
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Enable auto-merge for Dependabot PRs
if: github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions'
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
dependabot-other:
runs-on: ubuntu-latest
needs: dependabot-check
if: always() # this job needs to run because we use it as a required workflow
permissions:
contents: write
pull-requests: write
actions: read #the updates for this ecosystem will NOT push to the .github/workflows folder
steps:
- name: Approve the PR
if: (github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions') && (needs.dependabot-check.outputs.update-type == 'version-update:semver-minor' || needs.dependabot-check.outputs.update-type == 'version-update:semver-patch')
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Enable auto-merge for Dependabot PRs
if: (github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions') && (needs.dependabot-check.outputs.update-type == 'version-update:semver-minor' || needs.dependabot-check.outputs.update-type == 'version-update:semver-patch')
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
not-dependabot:
runs-on: ubuntu-latest
if: always() # this job needs to run because we use it as a required workflow
steps:
- name: Empty step
if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
run: echo "Hello user! We needed a job to run in this required workflow, or it prohibits merging" | tee $GITHUB_STEP_SUMMARY