use better auto-merge mechanism

christian-bromann · christian-bromann · commit 70e6c31ec665 · 2023-02-08T10:26:39.000-08:00
diff --git a/.github/workflows/update.yaml b/.github/workflows/update.yaml
@@ -1,32 +1,47 @@
 # this workflow merges requests from Dependabot if tests are passing
-name: Merge me!
+# ref https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions
+# and https://github.com/dependabot/fetch-metadata
+name: Auto-merge
 
-on:
-    workflow_run:
-        types:
-            - completed
-        workflows:
-            - 'Test'
+# `pull_request_target` means this uses code in the base branch, not the PR.
+on: pull_request_target
+
+# Dependabot PRs' tokens have read permissions by default and thus we must enable write permissions.
+permissions:
+  contents: write
+  pull-requests: write
 
 jobs:
-    merge-me:
-        name: Merge me!
+  dependencies:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+
+    steps:
+      - name: Fetch PR metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1.3.5
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
 
-        runs-on: ubuntu-latest
+      - name: Wait for PR CI
+        # Don't merge updates to GitHub Actions versions automatically.
+        # (Some repos may wish to limit by version range (major/minor/patch), or scope (dep vs dev-dep), too.)
+        if: contains(steps.metadata.outputs.package-ecosystem, 'npm')
+        uses: lewagon/wait-on-check-action@v1.2.0
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          wait-interval: 30 # seconds
+          running-workflow-name: dependencies # wait for all checks except this one
+          allowed-conclusions: success # all other checks must pass, being skipped or cancelled is not sufficient
 
-        steps:
-            - name: Merge me!
-              if: ${{ github.event.workflow_run.conclusion == 'success' }}
-              uses: ridedott/merge-me-action@v2
-              with:
-                # Depending on branch prodtection rules, a  manually populated
-                # `GITHUB_TOKEN_WORKAROUND` secret with permissions to push to
-                # a protected branch must be used.
-                #
-                # When using a custom token, it is recommended to leave the following
-                # comment for other developers to be aware of the reasoning behind it:
-                #
-                # This must be used as GitHub Actions token does not support pushing
-                # to protected branches.
-                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                PRESET: DEPENDABOT_MINOR
+      - name: Auto-merge dependabot PRs
+        # Don't merge updates to GitHub Actions versions automatically.
+        # (Some repos may wish to limit by version range (major/minor/patch), or scope (dep vs dev-dep), too.)
+        if: contains(steps.metadata.outputs.package-ecosystem, 'npm')
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        # The "auto" flag will only merge once all of the target branch's required checks
+        # are met. Configure those in the "branch protection" settings for each repo.
+        run: gh pr merge --auto --squash "$PR_URL"
