use combined ci-automerge.yml

davidmoten · Apr 14, 2022 · 7da8cd8 · 7da8cd8
1 parent fb987ab
commit 7da8cd8
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 25 deletions.
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,6 +1,16 @@
-name: Java CI
+name: ci 
 
-on: [push]
+## Does continuous integration build with Java 8 and 11 and 
+## if succeeds and due to a dependabot pull request (minor or
+## patch verson change) it will automatically merge the PR. 
+
+## Unlike many sample automerge workflows this does not rely 
+## on third-party libraries apart from the official dependabot
+## repository ones. This reduces the security risk significantly
+## (we don't want to unknowingly merge malicious code or expose 
+## secrets to a malicious third party).
+
+on: [push, pull_request]
 
 jobs:
   build:
@@ -21,3 +31,22 @@ jobs:
         with:
           file: ./**/target/site/jacoco/jacoco.xml
           name: codecov
+  dependabot:
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      pull-requests: write
+      contents: write
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1.1.1
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        if: ${{!contains(steps.metadata.outputs.dependency-names, 'maven-plugin-api') && (steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch')}}
+        run: gh pr merge --auto --rebase "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}