add GHA to auto merge dependabot PRs when the builds pass

duncancrawford · duncancrawford · commit 726ee8b32355 · 2026-04-01T13:52:56.000+01:00
Additionally add API spec check upon publishing a release artefact
diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml
@@ -0,0 +1,25 @@
+name: Auto-merge Dependabot PRs
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Approve PR
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ci-released.yml b/.github/workflows/ci-released.yml
@@ -6,6 +6,25 @@ on:
   workflow_dispatch:
 
 jobs:
+  validate-api-spec-version:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: '25'
+
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: current
+
+      - name: Validate apiSpec version is fixed
+        run: ./gradlew validateApiSpecVersions
+
   ci-release:
     uses: ./.github/workflows/ci-build-publish.yml
     secrets:
diff --git a/.gitignore b/.gitignore
@@ -33,3 +33,5 @@ applicationinsights-agent-*.jar
 
 .DS_Store
 */.DS_Store
+
+.claude
diff --git a/build.gradle b/build.gradle
@@ -24,12 +24,16 @@ apply {
 
   from("$rootDir/gradle/api-test.gradle")
 }
+configurations {
+  apiSpec
+  implementation.extendsFrom apiSpec
+}
 
 // We MUST keep all dependencies in the build.gradle to allow dependabot to provide version updates
 // Sadly, dependabot does not track dependencies in the apply-from files
 dependencies {
   // Api spec
-  implementation("uk.gov.hmcts.cp:api-hmcts-crime-template:2.0.2")
+  apiSpec "uk.gov.hmcts.cp:api-hmcts-crime-template:2.0.2"
   implementation 'io.swagger.core.v3:swagger-core:2.2.45'
 
 
diff --git a/gradle/apispec-validation.gradle b/gradle/apispec-validation.gradle
@@ -0,0 +1,32 @@
+// Validates that all dependencies in the 'apiSpec' configuration use fixed release versions.
+//
+// During development, apiSpec dependencies may reference draft versions (e.g. 1.0.7-a3b4c5d)
+// which include a short Git SHA suffix. These are useful for testing against unreleased API specs
+// but must not be present in release builds.
+//
+// This task resolves the apiSpec configuration and rejects any version that does not match
+// the strict X.Y.Z semver pattern. It is intended to be run as a gate in the release workflow
+// to prevent publishing against draft API specs.
+//
+// Usage: ./gradlew validateApiSpecVersions
+
+tasks.register('validateApiSpecVersions') {
+  description = 'Validates that the apiSpec dependency uses a fixed release version (no pre-release suffixes)'
+  group = 'verification'
+  doLast {
+    def fixedVersionPattern = ~/^\d+\.\d+\.\d+$/
+    def failures = []
+    configurations.apiSpec.dependencies.each { dep ->
+      if (!(dep.version ==~ fixedVersionPattern)) {
+        failures << "${dep.group}:${dep.name}:${dep.version}"
+      }
+    }
+    if (failures) {
+      throw new GradleException(
+        "apiSpec contains non-fixed versions:\n  ${failures.join('\n  ')}\n" +
+        "Release builds require fixed versions (X.Y.Z). Draft versions (e.g. vX.Y.Z-<short-sha>) are not allowed."
+      )
+    }
+    println "apiSpec dependency version is a valid fixed release version."
+  }
+}
