diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml deleted file mode 100644 index 9ee77e7..0000000 --- a/.github/workflows/dependabot-automerge.yaml +++ /dev/null @@ -1,179 +0,0 @@ -# Automatically merge a Dependabot PR. -# Should ONLY be used when the default branch is protected with CI check requirements. -# -# Users must opt into merging upgrades by ecosystem and semver gap, e.g. "minor upgrades to github actions" or "patch upgrades to npm". -# Accepting major upgrades implies accepting minor and patch. Accepting minor implies patch. -# -# This should be called on: -# - pull_request.{opened,reopened,synchronize}: ideally filtered to lockfile paths (e.g. go.sum, yarn.lock) - -# IDEA: maybe filter by package name? Could be workflow inputs, or we clone the repo's default branch and look for a `.github/automerge-allowlist.txt` or something. - -on: - workflow_call: - inputs: - all: - required: false - type: string - default: none - description: | - Upgrades to automatically merge. Valid values are: all, none, major, minor, patch. - - # Prefer alphabetical, but "all" is special. - actions: - required: false - type: string - default: none - description: | - GitHub Actions upgrades to automatically merge. Valid values are: all, none, major, minor, patch. - gomod: - required: false - type: string - default: none - description: | - Go upgrades to automatically merge. Valid values are: all, none, major, minor, patch. - npm: - required: false - type: string - default: none - description: | - NPM upgrades to automatically merge. Valid values are: all, none, major, minor, patch. - secrets: - token: - required: true - description: GitHub token - probably secrets.GITHUB_TOKEN - -permissions: {} - -jobs: - automerge: - runs-on: ubuntu-latest - if: github.event.pull_request.user.login == 'dependabot[bot]' - permissions: - contents: write - pull-requests: write - steps: - - name: Validate inputs - run: | - echo "all=${{ inputs.all }}" - if [[ ! "${{ inputs.all }}" =~ ^(all|none|major|minor|patch)$ ]]; then - echo "Invalid input: all=${{ inputs.all }}" - exit 1 - fi - - echo "actions=${{ inputs.actions }}" - if [[ ! "${{ inputs.actions }}" =~ ^(all|none|major|minor|patch)$ ]]; then - echo "Invalid input: actions=${{ inputs.actions }}" - exit 1 - fi - - echo "gomod=${{ inputs.gomod }}" - if [[ ! "${{ inputs.gomod }}" =~ ^(all|none|major|minor|patch)$ ]]; then - echo "Invalid input: gomod=${{ inputs.gomod }}" - exit 1 - fi - - echo "npm=${{ inputs.npm }}" - if [[ ! "${{ inputs.npm }}" =~ ^(all|none|major|minor|patch)$ ]]; then - echo "Invalid input: npm=${{ inputs.npm }}" - exit 1 - fi - - - name: Retrieve Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0 - with: - github-token: ${{ secrets.token }} - - - name: Merge GitHub Actions update - if: | - steps.metadata.outputs.package-ecosystem == 'github_actions' && - ( - (inputs.all == 'all' || inputs.actions == 'all') || - ( - steps.metadata.outputs.update-type == 'version-update:semver-major' && - (inputs.all == 'major' || inputs.actions == 'major') - ) || - ( - steps.metadata.outputs.update-type == 'version-update:semver-minor' && - ( - (inputs.all == 'major' || inputs.actions == 'major') || - (inputs.all == 'minor' || inputs.actions == 'minor') - ) - ) || - ( - steps.metadata.outputs.update-type == 'version-update:semver-patch' && - (inputs.all != 'none' || inputs.actions != 'none') - ) - ) - env: - GITHUB_TOKEN: ${{ secrets.token }} - MERGE_ALL: ${{ inputs.all }} - MERGE_ECOSYSTEM: ${{ inputs.actions }} - UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} - PR_URL: ${{ github.event.pull_request.html_url }} - run: | - gh pr review --approve --body "Merging this \`${UPDATE_TYPE}\` update (actions: \`${MERGE_ECOSYSTEM}\`, all: \`${MERGE_ALL}\`)" "$PR_URL" - gh pr merge --auto --merge "$PR_URL" - - - name: Merge NPM update - if: | - steps.metadata.outputs.package-ecosystem == 'npm_and_yarn' && - ( - (inputs.all == 'all' || inputs.npm == 'all') || - ( - steps.metadata.outputs.update-type == 'version-update:semver-major' && - (inputs.all == 'major' || inputs.npm == 'major') - ) || - ( - steps.metadata.outputs.update-type == 'version-update:semver-minor' && - ( - (inputs.all == 'major' || inputs.npm == 'major') || - (inputs.all == 'minor' || inputs.npm == 'minor') - ) - ) || - ( - steps.metadata.outputs.update-type == 'version-update:semver-patch' && - (inputs.all != 'none' || inputs.npm != 'none') - ) - ) - env: - GITHUB_TOKEN: ${{ secrets.token }} - MERGE_ALL: ${{ inputs.all }} - MERGE_ECOSYSTEM: ${{ inputs.npm }} - UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} - PR_URL: ${{ github.event.pull_request.html_url }} - run: | - gh pr review --approve --body "Merging this \`${UPDATE_TYPE}\` update (npm: \`${MERGE_ECOSYSTEM}\`, all: \`${MERGE_ALL}\`)" "$PR_URL" - gh pr merge --auto --merge "$PR_URL" - - - name: Merge Go update - if: | - steps.metadata.outputs.package-ecosystem == 'go_modules' && - ( - (inputs.all == 'all' || inputs.go_modules == 'all') || - ( - steps.metadata.outputs.update-type == 'version-update:semver-major' && - (inputs.all == 'major' || inputs.go_modules == 'major') - ) || - ( - steps.metadata.outputs.update-type == 'version-update:semver-minor' && - ( - (inputs.all == 'major' || inputs.go_modules == 'major') || - (inputs.all == 'minor' || inputs.go_modules == 'minor') - ) - ) || - ( - steps.metadata.outputs.update-type == 'version-update:semver-patch' && - (inputs.all != 'none' || inputs.go_modules != 'none') - ) - ) - env: - GITHUB_TOKEN: ${{ secrets.token }} - MERGE_ALL: ${{ inputs.all }} - MERGE_ECOSYSTEM: ${{ inputs.gomod }} - UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} - PR_URL: ${{ github.event.pull_request.html_url }} - run: | - gh pr review --approve --body "Merging this \`${UPDATE_TYPE}\` update (gomod: \`${MERGE_ECOSYSTEM}\`, all: \`${MERGE_ALL}\`)" "$PR_URL" - gh pr merge --auto --merge "$PR_URL" diff --git a/README.md b/README.md index 4a1c701..5e9d7ba 100644 --- a/README.md +++ b/README.md @@ -58,44 +58,6 @@ jobs: -### dependabot-automerge.yaml - -Automatically approve and merge Dependabot PRs matching certain criteria. Supports filtering by ecosystem and semver gap, such as "all actions minor+patch updates". - -Repositories using this workflow must: -* Have `Allow auto-merge` [enabled](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request#enabling-auto-merge). -* Have branch protection enabled, with the `Require status checks to pass before merging` option enforcing CI. - - -
-Example Workflow - -```yaml -name: Dependabot auto-merge -on: - pull_request: - types: - - opened - - reopened - - synchronize - paths: - - '.github/workflows/**' - -permissions: {} - -jobs: - automerge: - permissions: - contents: write - pull-requests: write - uses: Shopify/github-workflows/.github/workflows/dependabot-automerge.yaml@c395c2cfd65be9a36f5dcfd21f4a2498a477fed4 # v0.0.6 - with: - actions: minor -``` - -
- - ### scorecard.yaml Publish an [OpenSSF Scorecard](https://securityscorecards.dev/) for a project.