Bump the actions group in /.github/workflows with 4 updates #73
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot CI Updates | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| types: | |
| - opened | |
| - synchronize | |
| permissions: | |
| contents: read | |
| jobs: | |
| dependabot-auto-approve: | |
| name: Auto-approve and auto-merge safe Dependabot updates | |
| runs-on: ubuntu-latest | |
| if: > | |
| github.event.pull_request.user.login == 'dependabot[bot]' && | |
| contains(github.event.pull_request.labels.*.name, 'dependencies') | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - name: Fetch Dependabot metadata | |
| id: dependabot-metadata | |
| uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Stop workflow if not minor update or patch update | |
| id: skip-condition | |
| if: > | |
| steps.dependabot-metadata.outputs.update-type != 'version-update:semver-minor' && | |
| steps.dependabot-metadata.outputs.update-type != 'version-update:semver-patch' | |
| run: | | |
| echo "Not a minor or patch update; skipping auto-approval." | |
| echo "skip=true" >> $GITHUB_OUTPUT | |
| - name: Checkout Repository | |
| if: steps.skip-condition.outputs.skip != 'true' | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| persist-credentials: false | |
| - name: Approve Changes | |
| if: steps.skip-condition.outputs.skip != 'true' | |
| run: | | |
| decision="$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" | |
| if [ "$decision" != "APPROVED" ]; then | |
| gh pr review --approve "$PR_URL" | |
| else | |
| echo "PR already approved: skipping approval." | |
| fi | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| - name: Enable auto-merge on Pull Request | |
| if: steps.skip-condition.outputs.skip != 'true' | |
| run: | | |
| gh pr merge --auto --merge "$PR_URL" | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} |