major: remove backing web app

.github/workflows/ci.yml

@@ -15,6 +15,9 @@ jobs:
   automerge:
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
     steps:
       - uses: fastify/github-action-merge-dependabot@main
         with:

README.md

@@ -2,10 +2,6 @@
 
 This action automatically approves and merges dependabot PRs.
 
-## Usage
-
-- **install the [GitHub App](https://github.com/apps/dependabot-merge-action) on the repositories or organization where you want to use this action.** Using a GitHub App is necessary since [this change](https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/) GitHub introduced which limits the permissions of the provided GITHUB_TOKEN and the availability of secrets in Dependabot pull requests. The source [code of the GitHub App](https://github.com/fastify/dependabot-merge-action-app/) is open source and hosted on Google Cloud Platform. You can also host your own version of the app and customize the `api-url` input to point to your hosted instance.
-- configure this action in your workflows providing the inputs described below
 
 ## Inputs
 
@@ -29,10 +25,6 @@ _Optional_ The merge method you would like to use (squash, merge, rebase). Defau
 
 _Optional_ An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're recieving too much of noise in email and would like to filter mails for PRs that got automatically merged.
 
-### `api-url`
-
-_Optional_ A custom url where the external API which is delegated the task of approving and merging responds.
-
 ### `target`
 
 _Optional_ A flag to only auto-merge updates based on Semantic Versioning. Defaults to `any`.
@@ -50,7 +42,21 @@ An example of a non-semantic version is a commit hash when using git submodules.
 
 _Optional_ A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a seperate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event)
 
-## Example usage
+## Usage
+
+Configure this action in your workflows providing the inputs described above.
+Note that this action requires a GitHub token with additional permissions. You must use the [`permissions`](https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions) tag to specify the required rules or configure your [GitHub account](https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/).
+
+The permissions required are:
+
+- [`pull-requests`](https://docs.github.com/en/rest/reference/permissions-required-for-github-apps#permission-on-pull-requests) permission: it is needed to approve PRs.
+- [`contents`](https://docs.github.com/en/rest/reference/permissions-required-for-github-apps#permission-on-contents) permission: it is necessary to merge the pull request. You don't need it if you set `approve-only: true`, see the example below.
+
+If some of the required permissions are missing, the action will fail with the error message:
+
+```
+Error: Resource not accessible by integration
+```
 
 ### Basic example
 
@@ -67,17 +73,26 @@ jobs:
   automerge:
     needs: build
     runs-on: ubuntu-latest
+
+    permissions:
+      pull-requests: write
+      contents: write
+
     steps:
-      - uses: fastify/github-action-merge-dependabot@v2.1.1
+      - uses: fastify/github-action-merge-dependabot@v3.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 ### Excluding packages
 
 ```yml
+permissions:
+  pull-requests: write
+  contents: write
+
 steps:
-  - uses: fastify/github-action-merge-dependabot@v2.1.1
+  - uses: fastify/github-action-merge-dependabot@v3.0.0
     with:
       github-token: ${{ secrets.GITHUB_TOKEN }}
       exclude: 'react,fastify'
@@ -86,16 +101,18 @@ steps:
 ### Approving without merging
 
 ```yml
+permissions:
+  pull-requests: write
 steps:
-  - uses: fastify/github-action-merge-dependabot@v2.1.1
+  - uses: fastify/github-action-merge-dependabot@v3.0.0
     with:
       github-token: ${{ secrets.GITHUB_TOKEN }}
       approve-only: true
 ```
 
 ### Trigger action from workflow_dispatch event
 
-If you need to trigger this action manually, you can use the [workflow_dispatch](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch) event. A use case might be that your CI runs on a seperate provider, so you would like to run this action as a result of a successful CI run.
+If you need to trigger this action manually, you can use the [`workflow_dispatch`](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch) event. A use case might be that your CI runs on a seperate provider, so you would like to run this action as a result of a successful CI run.
 
 When using the `workflow_dispatch` approach, you will need to send the PR number as part of the input for this action:
 
@@ -111,8 +128,11 @@ on:
 jobs:
   automerge:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
     steps:
-      - uses: fastify/github-action-merge-dependabot@v2.2.0
+      - uses: fastify/github-action-merge-dependabot@v3.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           pr-number: ${{ github.event.inputs.pr-number }}

action.yml

@@ -19,10 +19,6 @@ inputs:
     description: "An arbitrary message that you'd like to comment on the PR after it gets auto-merged"
     required: false
     default: ''
-  api-url:
-    description: 'Url of the API where the application is running'
-    required: false
-    default: 'https://fastify-dependabot-merge-app-5uewp47fja-uc.a.run.app/'
   target:
     description: 'Auto-merge on major, minor, patch updates based on Semantic Versioning'
     required: false