ci: enhance GitHub Actions workflows with security and performance improvements #5
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot Auto-Merge | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened, labeled] | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: false # Don't cancel merge operations mid-process | |
| jobs: | |
| auto-merge: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| if: github.actor == 'dependabot[bot]' | |
| steps: | |
| - name: Dependabot metadata | |
| id: metadata | |
| uses: dependabot/fetch-metadata@v2 | |
| with: | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| - name: Auto-merge patch updates | |
| if: steps.metadata.outputs.update-type == 'version-update:semver-patch' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_TITLE: ${{ github.event.pull_request.title }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| run: | | |
| set -euo pipefail | |
| echo "Auto-merging patch update: $PR_TITLE" | |
| gh pr merge --auto --squash "$PR_URL" | |
| - name: Comment on minor/major updates | |
| if: steps.metadata.outputs.update-type != 'version-update:semver-patch' | |
| run: | | |
| set -euo pipefail | |
| echo "Minor/major update detected - requires human review" | |
| gh pr comment "${{ github.event.pull_request.html_url }}" --body "⚠️ This is a **${{ steps.metadata.outputs.update-type }}** update and requires human review before merging." | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate summary | |
| if: always() | |
| env: | |
| PR_TITLE: ${{ github.event.pull_request.title }} | |
| UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }} | |
| run: | | |
| set -euo pipefail | |
| { | |
| echo "## 🤖 Dependabot Auto-Merge" | |
| echo "" | |
| echo "**PR**: $PR_TITLE" | |
| echo "**Update Type**: $UPDATE_TYPE" | |
| echo "" | |
| if [ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-patch" ]; then | |
| echo "**Decision**: ✅ Auto-merged (patch update)" | |
| echo "" | |
| echo "Patch updates are automatically merged after CI passes." | |
| else | |
| echo "**Decision**: ⏸️ Requires human review" | |
| echo "" | |
| echo "Minor and major updates require manual approval for safety." | |
| fi | |
| } >> "$GITHUB_STEP_SUMMARY" |