-
Notifications
You must be signed in to change notification settings - Fork 0
50 lines (50 loc) · 3.05 KB
/
dependabot-prs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: Dependabot Pull Request
on:
pull_request_target:
types: [opened, synchronize, reopened, labeled]
jobs:
build:
if: startsWith(github.head_ref, 'dependabot/')
runs-on: ubuntu-latest
steps:
- name: Get unique committers
id: unique-committers
run: echo "::set-output name=committers::$(gh pr view $PR_URL --json commits --jq '[.commits.[] | .authors.[] | .login] | unique')"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}}
# The last step enables auto-merge in certain situations, but we don't want dependabots that require
# additional work to accidentally get merged before code review so we turn it off here.
- name: Disable auto-merge if there are commits from someone other than Dependabot
if: steps.unique-committers.outputs.committers != '["dependabot[bot]"]'
run: gh pr merge --disable-auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}}
- name: Add the Needs QA label to dependabots after any change by someone other than the dependabot bot
# Need to avoid the situation where someone removes the "Needs QA" label and we are adding it back.
if: ${{ github.actor != 'dependabot[bot]' && github.event.action != 'labeled' }}
run: gh pr edit "$PR_URL" --add-label "Needs QA"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}}
- name: Fetch Dependabot metadata
if: ${{ github.actor == 'dependabot[bot]' }}
id: dependabot-metadata
uses: dependabot/[email protected]
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Approve and merge Dependabot PRs for development dependencies
# Auto-merge the PR if either:
# a) it has the `development-dependencies` label, which we add for certain
# categories of PRs (see `.github/dependabot.yml`), OR
# b) Dependabot has categorized it as a `direct:development` dependency,
# meaning it's in the Gemfile in a `development` or `test` group, OR
# c) our scripts have flagged the PR as an automergeable dependency (i.e
# a stable dependency with good unit test coverage) that has passed
# the waiting period.
if: ${{ (github.actor == 'dependabot[bot]' || github.actor == 'panorama-bot-r') && steps.unique-committers.outputs.committers == '["dependabot[bot]"]' && (contains(github.event.pull_request.labels.*.name, 'development-dependencies') || steps.dependabot-metadata.outputs.dependency-type == 'direct:development' || contains(github.event.pull_request.labels.*.name, 'automerge-dependencies')) }}
run: gh pr merge --auto --merge "$PR_URL" && gh pr edit "$PR_URL" --remove-label "Needs QA" && gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}}