This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Dependabot Pull Request Approve and Merge | |
on: | |
- pull_request_target | |
permissions: | |
pull-requests: write | |
contents: write | |
jobs: | |
dependabot: | |
runs-on: ubuntu-latest | |
# Checking the actor will prevent your Action run failing on non-Dependabot | |
# PRs but also ensures that it only does work for Dependabot PRs. | |
if: ${{ github.actor == 'dependabot[bot]' }} | |
steps: | |
# This first step will fail if there's no metadata and so the approval | |
# will not occur. | |
- name: Dependabot metadata | |
id: dependabot-metadata | |
uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 | |
with: | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
# Checkout repo to make package allow list available | |
- name: Checkout | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
# Use a YAML formatted config file to list which dependencies can be auto-merged | |
- name: Read list of Allowed Auto-merge Dependencies | |
id: dependabot-allow-list | |
run: | | |
echo "dependabot-allow-list=$(yq eval '.dependabot.allow-list | join(", ")' .github/workflows/config/config.yml)" >> $GITHUB_OUTPUT | |
# Get the initial AWS IAM User credentials. Only has basic permissions for sts:assumeRole | |
- name: Configure AWS credentials (1) | |
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: us-gov-west-1 | |
# Get credentials from our SSM role. Least privilege method for AWS IAM. | |
- name: Configure AWS Credentials (2) | |
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: us-gov-west-1 | |
role-to-assume: ${{ secrets.AWS_VAGOV_CMS_PROD_READ_SSM_ROLE }} | |
role-duration-seconds: 900 | |
role-session-name: vsp-vagov-cms-githubaction | |
# Get VA_CMS_BOT Github token from SSM. this will be used to approve a matching PR. | |
- name: Get Parameter | |
uses: department-of-veterans-affairs/action-inject-ssm-secrets@d8e6de3bde4dd728c9d732baef58b3c854b8c4bb # latest | |
with: | |
ssm_parameter: /cms/va-cms-bot/github_token | |
env_variable_name: VA_CMS_BOT_TOKEN | |
# Per Workflow secrets.GITHUB_TOKEN can't approve PRs | |
# Instead lookup and use VA CMS BOT Token to do so. | |
- name: Approve a PR | |
if: ${{ contains(steps.dependabot-allow-list.outputs.dependabot-allow-list, steps.dependabot-metadata.outputs.dependency-names) }} | |
run: gh pr review --approve "$PR_URL" | |
env: | |
PR_URL: ${{ github.event.pull_request.html_url }} | |
GITHUB_TOKEN: ${{ env.VA_CMS_BOT_TOKEN }} | |
# Finally, this sets the PR to allow auto-merging for only allowed dependencies | |
- name: Enable auto-merge for Dependabot PRs | |
if: ${{ contains(steps.dependabot-allow-list.outputs.dependabot-allow-list, steps.dependabot-metadata.outputs.dependency-names) }} | |
run: gh pr merge --auto --squash "$PR_URL" | |
env: | |
PR_URL: ${{ github.event.pull_request.html_url }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |