Bump actions/checkout from 5 to 6 #11
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot Auto-Approve and Merge | |
| # This workflow uses a PAT (OPEN_SESAME) with the following permissions: Read and Write access to Contents - Read and Write access to Pull Requests | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| pull-requests: write | |
| contents: write | |
| checks: read | |
| statuses: read | |
| actions: read | |
| jobs: | |
| approve-and-merge: | |
| name: Approve and Merge Dependabot PRs | |
| runs-on: ubuntu-slim | |
| # This ensures only the official Dependabot can trigger this. | |
| if: github.actor == 'dependabot[bot]' | |
| steps: | |
| - name: Assign PR to HotCakeX | |
| env: | |
| GH_TOKEN: ${{ secrets.OPEN_SESAME }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| run: | | |
| # Query the PR to check current assignees | |
| IS_ASSIGNED=$(gh pr view "$PR_URL" --json assignees --jq '.assignees | map(.login) | contains(["HotCakeX"])') | |
| if [ "$IS_ASSIGNED" = "true" ]; then | |
| echo "✅ HotCakeX is already assigned to this PR." | |
| else | |
| echo "🔄 Assigning HotCakeX to the PR..." | |
| gh pr edit "$PR_URL" --add-assignee "HotCakeX" | |
| fi | |
| - name: Wait for workflows to register | |
| # Pause briefly to give GitHub Actions enough time to evaluate | |
| run: sleep 40 | |
| - name: Wait for all PR checks to succeed (and detect failures) | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| # A comma-separated list of workflow names whose failure is acceptable. | |
| ALLOWED_FAILURES: "dependency-review" | |
| run: | | |
| echo "Watching checks for $PR_URL..." | |
| echo "Acceptable failures configured: $ALLOWED_FAILURES" | |
| while true; do | |
| # Fetch checks in JSON format | |
| CHECKS_JSON=$(gh pr checks "$PR_URL" --json name,bucket) | |
| # 1. Look for unacceptable failures (abort immediately) | |
| # Saving the check's name as $n before filtering to prevent jq context errors. | |
| FAILED_CHECKS=$(echo "$CHECKS_JSON" | jq -c --arg allowed "$ALLOWED_FAILURES" ' | |
| ($allowed | split(",")) as $allowed_list | | |
| [.[] | select(.bucket == "fail" or .bucket == "cancel") | select(.name as $n | $allowed_list | index($n) | not)] | |
| ') | |
| FAILED_COUNT=$(echo "$FAILED_CHECKS" | jq 'length') | |
| if [ "$FAILED_COUNT" -gt 0 ]; then | |
| echo "❌ One or more strict required checks failed or were cancelled. Aborting auto-merge." | |
| echo "Unacceptable failed checks:" | |
| echo "$FAILED_CHECKS" | jq -r '.[] | " - \(.name)"' | |
| exit 1 | |
| fi | |
| # 2. Look for pending checks, ignoring this exact running workflow | |
| PENDING_COUNT=$(echo "$CHECKS_JSON" | jq '[.[] | select(.bucket == "pending" and .name != "Approve and Merge Dependabot PRs" and .name != "Dependabot Auto-Approve and Merge")] | length') | |
| if [ "$PENDING_COUNT" -eq 0 ]; then | |
| echo "✅ All required checks have successfully passed (or were marked as acceptable failures)." | |
| break | |
| fi | |
| echo "⏳ Waiting for $PENDING_COUNT other check(s) to finish. Checking again in 15 seconds..." | |
| sleep 15 | |
| done | |
| - name: Approve PR | |
| env: | |
| GH_TOKEN: ${{ secrets.OPEN_SESAME }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| run: | | |
| gh pr review "$PR_URL" --approve | |
| - name: Merge PR | |
| env: | |
| GH_TOKEN: ${{ secrets.OPEN_SESAME }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| run: | | |
| gh pr merge "$PR_URL" --squash --delete-branch |