.github/workflows/dependabot-approve-and-auto-merge.yml

name: Dependabot Pull Request Approve and Merge
on: pull_request_target
permissions:
  pull-requests: write
  contents: write
jobs:
  # Auto merge Dependabot PRs for:
  # - patch updates on prod dependencies
  # - minor updates on dev dependencies
  dependabot-auto-merge:
    # Only run for Dependabot PRs
    if: ${{ github.actor == 'dependabot[bot]' }}
    runs-on: ubuntu-latest
    steps:
      - name: 'Fetch Dependabot metadata'
        id: dependabot
        uses: dependabot/fetch-metadata@v1

      - name: 'Check auto merge conditions'
        id: auto-merge
        if: |
          (
            steps.dependabot.outputs.update-type == 'version-update:semver-patch' &&
            contains('direct:production,indirect:production', steps.dependabot.outputs.dependency-type)
          ) || (
            contains('version-update:semver-minor,version-update:semver-patch', steps.dependabot.outputs.update-type) &&
            contains('direct:development,indirect:development', steps.dependabot.outputs.dependency-type)
          )
        run: echo "::notice ::auto-merge conditions satisfied"

      - name: 'Approve and merge PR'
        if: ${{ steps.auto-merge.conclusion == 'success' }}
        run: |
          gh pr review --approve "$PR_URL"
          gh pr merge --auto --squash "$PR_URL"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_URL: ${{ github.event.pull_request.html_url }}