feat: add auto-merge workflow for Dependabot updates

ShocOne · ShocOne · commit b272ab2a63b8 · 2024-11-05T12:58:01.000Z
diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml
@@ -0,0 +1,171 @@
+name: auto-merge dependabot updates
+
+on:
+  pull_request_target:
+    branches: [ main ]
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - ready_for_review
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  dependabot-merge:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2.2.0
+        with:
+          github-token: "${{ secrets.DEPENDABOT_PAT }}"  # Using PAT for enhanced features, alert-lookup, and compat-lookup
+          alert-lookup: true    # Enable security alert information
+          compat-lookup: true   # Enable compatibility score checking
+
+      - name: Check security and compatibility
+        id: security_check
+        run: |
+          DEPS_JSON='${{ steps.metadata.outputs.updated-dependencies-json }}'
+          
+          # Perform checks
+          if [ "${{ steps.metadata.outputs.alert-state }}" = "OPEN" ]; then
+            echo "⚠️ Security alert detected (GHSA: ${{ steps.metadata.outputs.ghsa-id }})"
+            echo "CVSS Score: ${{ steps.metadata.outputs.cvss }}"
+            echo "is_security_update=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_security_update=false" >> $GITHUB_OUTPUT
+          fi
+          
+          if [ "${{ steps.metadata.outputs.compatibility-score }}" -lt 75 ]; then
+            echo "⚠️ Low compatibility score: ${{ steps.metadata.outputs.compatibility-score }}"
+            echo "is_compatible=false" >> $GITHUB_OUTPUT
+          else
+            echo "is_compatible=true" >> $GITHUB_OUTPUT
+          fi
+          
+          if [ "${{ steps.metadata.outputs.maintainer-changes }}" = "true" ]; then
+            echo "⚠️ Maintainer changes detected"
+            echo "has_maintainer_changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_maintainer_changes=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }}
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }}
+        with:
+          go-version: 'stable'
+
+      - name: Process Go dependencies
+        if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }}
+        run: |
+          log_update_details() {
+            local pr_number=$1
+            echo "::group::Dependency Update Details for PR #$pr_number"
+            echo "🔄 Dependencies: ${{ steps.metadata.outputs.dependency-names }}"
+            echo "📦 Type: ${{ steps.metadata.outputs.dependency-type }}"
+            echo "📈 Version: ${{ steps.metadata.outputs.previous-version }} → ${{ steps.metadata.outputs.new-version }}"
+            echo "📂 Directory: ${{ steps.metadata.outputs.directory }}"
+            [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ] && \
+              echo "🚨 Security update (CVSS: ${{ steps.metadata.outputs.cvss }})"
+            echo "::endgroup::"
+          }
+
+          echo "🔍 Fetching all Go-related Dependabot PRs..."
+          GO_PRS=$(gh pr list \
+            --author "dependabot[bot]" \
+            --json number,title,createdAt,headRefName \
+            --state open \
+            --jq 'sort_by(.createdAt) | .[] | select(.title | contains("go.mod"))')
+
+          CURRENT_PR_PROCESSED=false
+          
+          echo "$GO_PRS" | while read -r pr; do
+            PR_NUMBER=$(echo "$pr" | jq -r .number)
+            HEAD_BRANCH=$(echo "$pr" | jq -r .headRefName)
+            
+            log_update_details $PR_NUMBER
+            
+            # Skip indirect dependencies unless they're security updates
+            if [ "${{ steps.metadata.outputs.dependency-type }}" = "indirect" ] && \
+               [ "${{ steps.security_check.outputs.is_security_update }}" != "true" ]; then
+              echo "⏭️ Skipping indirect dependency update"
+              continue
+            fi
+
+            # Special handling for security updates
+            if [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ]; then
+              echo "🚨 Processing security update with priority"
+              PRIORITY_MERGE=true
+            fi
+
+            git fetch origin $HEAD_BRANCH
+            git checkout $HEAD_BRANCH
+            git pull origin $HEAD_BRANCH
+            
+            echo "🛠️ Running go mod tidy for PR #$PR_NUMBER"
+            go mod tidy
+            
+            if git diff --quiet; then
+              echo "✨ No changes required for PR #$PR_NUMBER"
+            else
+              echo "💾 Committing changes for PR #$PR_NUMBER"
+              git config --global user.name "GitHub Actions"
+              git config --global user.email "actions@github.com"
+              git commit -am "chore: go mod tidy for PR #$PR_NUMBER"
+              git push origin $HEAD_BRANCH
+            fi
+            
+            # Auto-merge decision logic
+            if [ "$PR_NUMBER" = "$CURRENT_PR_NUMBER" ]; then
+              CURRENT_PR_PROCESSED=true
+              if { [ "$UPDATE_TYPE" != "version-update:semver-major" ] || \
+                  [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ]; } && \
+                  [ "${{ steps.security_check.outputs.is_compatible }}" = "true" ] && \
+                  [ "${{ steps.security_check.outputs.has_maintainer_changes }}" = "false" ]; then
+                echo "🤖 Enabling auto-merge for current PR #$PR_NUMBER"
+                gh pr merge --auto --merge "$PR_URL"
+              fi
+            elif [ "$CURRENT_PR_PROCESSED" = false ]; then
+              echo "🔄 Processing older PR #$PR_NUMBER first"
+              gh pr merge --auto --merge "$PR_NUMBER"
+            fi
+          done
+        env:
+          GITHUB_TOKEN: ${{ secrets.DEPENDABOT_PAT }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          CURRENT_PR_NUMBER: ${{ github.event.pull_request.number }}
+          UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}
+
+      # Handle other dependencies with security awareness
+      - name: Enable auto-merge for pipeline dependencies
+        if: |
+          steps.security_check.outputs.is_compatible == 'true' &&
+          steps.security_check.outputs.has_maintainer_changes == 'false' &&
+          (steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.security_check.outputs.is_security_update == 'true') && 
+          contains(steps.metadata.outputs.directory, '.github/workflows')
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.DEPENDABOT_PAT}}
+
+      - name: Enable auto-merge for other dependencies
+        if: |
+          steps.security_check.outputs.is_compatible == 'true' &&
+          steps.security_check.outputs.has_maintainer_changes == 'false' &&
+          (steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.security_check.outputs.is_security_update == 'true') && 
+          steps.metadata.outputs.package-ecosystem != 'gomod' &&
+          !contains(steps.metadata.outputs.directory, '.github/workflows')
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.DEPENDABOT_PAT}}
