Skip to content

Update actions/setup-python digest to ece7cb0 #1729

Update actions/setup-python digest to ece7cb0

Update actions/setup-python digest to ece7cb0 #1729

name: Dependabot Auto-merge
on:
pull_request:
concurrency:
group: dependabot-merge-${{ github.event.pull_request.number }}
cancel-in-progress: true
# Default-deny at workflow scope; the auto-merge job re-asserts the writes
# it actually needs (Scorecard token-permissions).
permissions:
contents: read
jobs:
auto-merge:
runs-on: ubuntu-latest
timeout-minutes: 5
permissions:
contents: write
pull-requests: write
# Spoof-resistant check: github.actor can be impersonated by a setting
# the User-Agent on the API call. Validate both the bot type and the
# immutable Dependabot user id (49699333). See zizmor `bot-conditions`.
if: >-
github.event.pull_request.user.login == 'dependabot[bot]' &&
github.event.pull_request.user.id == 49699333 &&
github.event.pull_request.user.type == 'Bot'
steps:
- name: Harden runner (audit mode)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
continue-on-error: true
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Auto-merge patch and minor updates
if: >
steps.metadata.outcome == 'success' &&
(steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
steps.metadata.outputs.update-type == 'version-update:semver-minor')
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_URL: ${{ github.event.pull_request.html_url }}
run: gh pr merge --auto --merge "$PR_URL"