chore(deps): Bump the actions group with 3 updates #448
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot Auto-Merge | |
| on: | |
| pull_request_target: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: dependabot-auto-merge-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| auto-merge: | |
| name: Auto-merge Dependabot PRs | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| if: > | |
| github.event_name == 'pull_request_target' && | |
| github.event.pull_request.user.login == 'dependabot[bot]' | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Fetch Dependabot metadata | |
| id: metadata | |
| uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| skip-commit-verification: true | |
| - name: Approve and enable auto-merge (patch/minor only) | |
| if: steps.metadata.outputs.update-type != 'version-update:semver-major' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| run: | | |
| gh pr review --approve "$PR_URL" | |
| gh pr merge --auto --squash "$PR_URL" | |
| echo "Auto-merge enabled — will merge when CI passes" | |
| - name: Skip major updates | |
| if: steps.metadata.outputs.update-type == 'version-update:semver-major' | |
| run: echo "Skipping major version update — requires manual review" | |
| # NOTE: A rebase-dependabot job was removed here. It updated open | |
| # Dependabot PR branches on every push to main, but caused more harm | |
| # than good: GITHUB_TOKEN pushes do not trigger other workflows (GitHub | |
| # infinite-loop prevention), so the rebase invalidated existing CI | |
| # results without starting new ones, leaving PRs stuck in "no required | |
| # checks reported" limbo. With strict_required_status_checks_policy | |
| # disabled in the branch ruleset, PRs can merge when behind main, so | |
| # auto-rebase is unnecessary. Dependabot handles its own rebases when | |
| # conflicts arise. |