Adding dependabot auto approve/merge

[srtfisher]

Summary by CodeRabbit

• Chores
  • Implemented automated workflows to approve and merge Dependabot pull requests, streamlining dependency updates.

[coderabbitai]

Walkthrough

The repository has introduced two new GitHub Actions workflow files aimed at automating interactions with Dependabot. These workflows are designed to automatically approve and merge pull requests created by Dependabot. The dependabot-auto-approve.yml workflow is triggered on pull request events, while the dependabot-auto-merge.yml workflow is triggered on pull_request_target events. Both workflows grant necessary write permissions and reference a workflow from an external repository.

Changes

File Path	Added	Removed	Modified Signatures
.github/workflows/dependabot-auto-approve.yml	Defines a workflow for auto-approving Dependabot PRs.	N/A	N/A
.github/workflows/dependabot-auto-merge.yml	Adds a workflow for auto-merging Dependabot PRs.	N/A	N/A

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• If you reply to a review comment from CodeRabbit, the bot will automatically respond.
• To engage with CodeRabbit bot directly around the specific lines of code in the PR, mention @coderabbitai in your review comment
• Note: Review comments are made on code diffs or files, not on the PR overview.
• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Note: For conversation with the bot, please use the review comments on code diffs or files.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between db9b6b2 and 6b6b08c.

Files selected for processing (2)

• .github/workflows/dependabot-auto-approve.yml (1 hunks)
• .github/workflows/dependabot-auto-merge.yml (1 hunks)

Additional comments: 4

.github/workflows/dependabot-auto-approve.yml (1)

• 1-11: Ensure that the external workflow alleyinteractive/.github/.github/workflows/dependabot-auto-approve.yml@main is from a trusted and maintained source, as it has write access to pull requests and contents.

.github/workflows/dependabot-auto-merge.yml (3)

• 10-10: The workflow uses an external action from alleyinteractive/.github. Ensure that this external repository is trusted and consider pinning the action to a specific commit to mitigate the risk of a compromised repository.

• 2-2: The pull_request_target event provides access to secrets, which can be a security risk if the workflow script is not carefully managed. Ensure that the workflow does not expose secrets to untrusted code, especially when dealing with pull requests from forks.

• 4-6: The permissions for pull-requests and contents are set to write. Review if these broad permissions are necessary, and consider applying the principle of least privilege by restricting permissions to the minimum required.