build(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0 #20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot auto-merge | |
| # Auto-enable GitHub auto-merge ("--auto") for Dependabot patch/minor PRs. | |
| # The PR still only merges once branch protection's required checks | |
| # (the single "test" job) pass. Gated to the trusted dependabot[bot] actor | |
| # AND author; on: pull_request (not pull_request_target); never runs or | |
| # trusts third-party PR code. | |
| on: pull_request | |
| concurrency: | |
| group: dependabot-automerge-${{ github.event.pull_request.number }} | |
| cancel-in-progress: false | |
| permissions: {} | |
| jobs: | |
| dependabot: | |
| name: Auto-merge Dependabot patch/minor PRs | |
| runs-on: ubuntu-latest | |
| # Verify both the triggering actor and the PR author to avoid actor spoofing. | |
| if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]' | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Fetch Dependabot metadata | |
| id: metadata | |
| uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2 | |
| with: | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Enable auto-merge for patch and minor updates | |
| if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' | |
| run: gh pr merge --auto --squash "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |