mirror of
https://github.com/supabase/setup-cli.git
synced 2026-05-13 11:26:59 +00:00
c099ad8c4a
## What changed This updates our Dependabot policy to reduce routine dependency-update noise while keeping minor and patch updates moving automatically. - Configure Dependabot to run weekly on Tuesday at 09:00 Europe/Paris for both `github-actions` and `bun` - Group all minor and patch updates per ecosystem: - one GitHub Actions update PR - one Bun dependency update PR - Keep major updates ungrouped so Dependabot opens individual PRs for manual review - Reduce routine open Dependabot PRs to one per ecosystem - Add cooldown windows so Dependabot avoids immediately chasing fresh releases: - 7 days for minor updates - 2 days for patch updates - Update the Dependabot automerge workflow to generate a GitHub App token before approving PRs - Auto-approve and enable automerge only for patch and minor updates, including `0.x` minors - Leave major update PRs for human review and merge ## Why Dependabot was not able to approve/automerge PRs using the default token. This follows the GitHub App token pattern recommended by security, while also tuning Dependabot for a better signal-to-noise ratio. The resulting behavior is: - minor/patch updates are batched weekly and can merge after CI passes - major updates still appear, but individually and without automerge - security updates remain handled by Dependabot/GitHub outside the routine grouping policy
48 lines
2.1 KiB
YAML
48 lines
2.1 KiB
YAML
# Adapted from https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
|
|
name: Dependabot auto-merge
|
|
|
|
on: pull_request
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
pull-requests: write
|
|
contents: write
|
|
|
|
jobs:
|
|
dependabot:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
# Only act on PRs opened by Dependabot from branches in this repository.
|
|
if: github.actor == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
|
|
steps:
|
|
# Metadata drives the non-major gating used for approval and auto-merge.
|
|
- id: meta
|
|
uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v3.0.0
|
|
with:
|
|
github-token: "${{ secrets.GITHUB_TOKEN }}"
|
|
|
|
- name: Generate token
|
|
id: app-token
|
|
if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor' }}
|
|
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
|
|
with:
|
|
app-id: ${{ secrets.APP_ID }}
|
|
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
|
|
|
|
- name: Approve a PR
|
|
if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor' }}
|
|
run: gh pr review --approve "$PR_URL"
|
|
env:
|
|
PR_URL: ${{ github.event.pull_request.html_url }}
|
|
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
|
|
|
|
- name: Enable auto-merge for Dependabot PRs
|
|
if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor' }}
|
|
run: gh pr merge --auto --squash "$PR_URL"
|
|
env:
|
|
PR_URL: ${{ github.event.pull_request.html_url }}
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|