Bump github/codeql-action from 2.22.8 to 3.25.3 #44
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Approve Dependabot PR's" | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| workflow_call: | |
| secrets: | |
| GH_TOKEN: | |
| required: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| dependabot-check: | |
| runs-on: ubuntu-latest | |
| if: always() # this job needs to run because we use it as a required workflow | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| outputs: | |
| ecosystem: ${{ steps.metadata.outputs.package-ecosystem }} | |
| update-type: ${{ steps.metadata.outputs.update-type }} | |
| token: ${{ steps.get-token.outputs.token }} | |
| steps: | |
| - name: Get correct token to use | |
| if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} | |
| id: get-token | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # shell script to use either secrets.GH_TOKEN or secrets.GITHUB_TOKEN depending on which is set | |
| if [[ $GH_TOKEN ]]; then | |
| echo "Using GH_TOKEN" | |
| echo "token=$GH_TOKEN" > $GITHUB_OUTPUT | |
| else | |
| echo "Using GITHUB_TOKEN" | |
| echo "token=$GITHUB_TOKEN" > $GITHUB_OUTPUT | |
| fi | |
| - name: Load Dependabot metadata | |
| if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} | |
| id: metadata | |
| uses: dependabot/fetch-metadata@0fb21704c18a42ce5aa8d720ea4b912f5e6babef #v2.0.0 | |
| with: | |
| github-token: ${{ steps.get-token.outputs.token }} | |
| - name: Show Dependabot metadata info | |
| if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} | |
| run: | | |
| echo "Found ecosystem: [${{ steps.metadata.outputs.package-ecosystem }}]" | |
| echo "Found update-type: [${{ steps.metadata.outputs.update-type }}]" | |
| - name: Empty step so the job has something to do as it is used as a required workflow | |
| run: echo "Not happy about it, but the job has to run" | |
| dependabot-actions: | |
| runs-on: ubuntu-latest | |
| needs: dependabot-check | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| actions: write #the updates for this ecosystem will push to the .github/workflows folder | |
| steps: | |
| - name: Show needs values | |
| run: | | |
| echo "Got eecosystem: [${{ needs.dependabot-check.outputs.ecosystem }}]" | |
| echo "Got update-type: [${{ needs.dependabot-check.outputs.update-type }}]" | |
| - name: Approve the PR | |
| if: (github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions') && (needs.dependabot-check.outputs.update-type == 'version-update:semver-minor' || needs.dependabot-check.outputs.update-type == 'version-update:semver-patch') | |
| run: gh pr review --approve "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Enable auto-merge for Dependabot PRs | |
| if: github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions' | |
| run: gh pr merge --auto --merge "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| dependabot-other: | |
| runs-on: ubuntu-latest | |
| needs: dependabot-check | |
| if: always() # this job needs to run because we use it as a required workflow | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| actions: read #the updates for this ecosystem will NOT push to the .github/workflows folder | |
| steps: | |
| - name: Approve the PR | |
| if: (github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions') && (needs.dependabot-check.outputs.update-type == 'version-update:semver-minor' || needs.dependabot-check.outputs.update-type == 'version-update:semver-patch') | |
| run: gh pr review --approve "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Enable auto-merge for Dependabot PRs | |
| if: (github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions') && (needs.dependabot-check.outputs.update-type == 'version-update:semver-minor' || needs.dependabot-check.outputs.update-type == 'version-update:semver-patch') | |
| run: gh pr merge --auto --merge "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| not-dependabot: | |
| runs-on: ubuntu-latest | |
| if: always() # this job needs to run because we use it as a required workflow | |
| steps: | |
| - name: Empty step | |
| if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }} | |
| run: echo "Hello user! We needed a job to run in this required workflow, or it prohibits merging" | tee $GITHUB_STEP_SUMMARY |