name: Dependabot Automerge on: pull_request_target: types: [opened, synchronize, reopened] permissions: pull-requests: write contents: write checks: read jobs: security-scan: name: Security Vulnerability Scan if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]' uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@c51854704019a247608d928f370c98740469d4b5" # v2.3.5 with: scan-args: |- -r --skip-git --lockfile=pnpm-lock.yaml --lockfile=src-tauri/Cargo.lock ./ permissions: security-events: write contents: read actions: read lint-js: name: Lint JavaScript/TypeScript if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]' uses: ./.github/workflows/lint-js.yml secrets: inherit permissions: contents: read lint-rust: name: Lint Rust if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]' uses: ./.github/workflows/lint-rs.yml secrets: inherit permissions: contents: read codeql: name: CodeQL if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]' uses: ./.github/workflows/codeql.yml secrets: inherit permissions: security-events: write contents: read packages: read actions: read spellcheck: name: Spell Check if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]' uses: ./.github/workflows/spellcheck.yml secrets: inherit permissions: contents: read dependabot-automerge: name: Dependabot Automerge if: github.repository == 'zhom/donutbrowser' && github.actor == 'dependabot[bot]' needs: [security-scan, lint-js, lint-rust, codeql, spellcheck] runs-on: ubuntu-latest steps: - name: Dependabot metadata id: metadata uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 #v3.1.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Enable auto-merge for minor and patch updates if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' }} run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} timeout-minutes: 10