ci: bump dependabot/fetch-metadata from 2.4.0 to 2.5.0 #15
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Auto-merge dependency updates for repositories WITHOUT branch protection | |
| # Uses direct merge since --auto flag requires branch protection | |
| name: Auto-merge dependency PRs | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| auto-merge: | |
| name: Auto-merge dependency PRs | |
| runs-on: ubuntu-latest | |
| # Use PR author login instead of github.actor to handle synchronize events | |
| # when someone else pushes to the dependabot/renovate branch | |
| if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Dependabot metadata | |
| id: metadata | |
| if: github.event.pull_request.user.login == 'dependabot[bot]' | |
| uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 | |
| with: | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Auto-approve PR | |
| run: gh pr review --approve "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Wait for CI checks | |
| run: | | |
| echo "Waiting for CI checks to complete..." | |
| for i in {1..60}; do | |
| CHECKS=$(gh pr checks "$PR_URL" --json name,state \ | |
| --jq '[.[] | select(.name != "Auto-merge dependency PRs")]') | |
| FAILED=$(echo "$CHECKS" | jq '[.[] | select(.state == "FAILURE" or .state == "ERROR")] | length') | |
| PENDING=$(echo "$CHECKS" | jq '[.[] | select(.state == "PENDING" or .state == "QUEUED" or .state == "IN_PROGRESS")] | length') | |
| if [ "$FAILED" != "0" ]; then | |
| echo "Some checks failed, skipping merge" | |
| exit 1 | |
| fi | |
| if [ "$PENDING" = "0" ]; then | |
| echo "All checks passed!" | |
| exit 0 | |
| fi | |
| echo "Waiting for $PENDING check(s)... (attempt $i/60)" | |
| sleep 10 | |
| done | |
| echo "Timeout waiting for checks" | |
| exit 1 | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Merge PR | |
| run: gh pr merge --rebase "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |