powertools-lambda-java/.github/workflows/security-dependabot.yml at 497b29bd8386f81387110e13cdc50b84feb0d978 · aws-powertools/powertools-lambda-java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Auto merges dependabot PRs
#
# Description:
#   Auto-merges dependabot PRs if all checks pass
#   We verify all commits in the PR to ensure no one else has committed to the PR
#
# Triggers:
#   - pull_request

on:
  pull_request:
    branches: [ dependabot/* ]

name: Dependabot updates
run-name: Dependabot

permissions:
  contents: read

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'aws-powertools/powertools-lambda-java' }}
    permissions:
      pull-requests: write
    steps:
      - id: dependabot-metadata
        name: Fetch Dependabot metadata
        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
      - name: Fail workflow
        if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' }}
        run: |
          echo "::error::Major version upgrades are not wanted"
      - name: Approve PR
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh pr review "${{ github.event.pull_request.html_url }}" --approve --body '🤖 Approved by another robot.'
      - name: Enable auto-merge on PR
        run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}