update dependabot autocommit (#416)

simongdavies · web-flow · commit c89f72dbb74f · 2025-04-14T22:05:02.000+01:00
Use an app for the source of the token
Rather than issuing a merge command to dependabot set the PR to auto squash

Signed-off-by: Simon Davies &lt;simongdavies@users.noreply.github.com&gt;
diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml
@@ -10,12 +10,33 @@ permissions:
   contents: write
   pull-requests: write
 
+# This workflow uses a GitHub App token to approve and merge Dependabot PRs
+# The token is created using the `actions/create-github-app-token` action
+# The token is used so that the updates are made by the GitHub App instead of Github Actions 
+# and will show up as such in the PR comments and history
+# In addition, the token is scoped to only the permissions needed for this workflow
+# see https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow for details
+
 jobs:
   auto-merge-dependabot:
     runs-on: ubuntu-latest
     steps:
+
+      # Gets the GitHub App token
+      - uses: actions/create-github-app-token@v2
+        id: get-app-token
+        with:
+          # required
+          app-id: ${{ secrets.DEPENDABOT_APP_ID }}
+          private-key: ${{ secrets.DEPENDABOT_APP_KEY }}
+          permission-pull-requests: write
+          permission-contents: write
+
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          token: ${{ steps.get-app-token.outputs.token }}
+          persist-credentials: false
       
       - name: Setup GitHub CLI
         run: |
@@ -27,5 +48,5 @@ jobs:
       
       - name: Run auto approve script
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.get-app-token.outputs.token }}
         run: ./dev/auto-approve-dependabot.sh ${{ github.repository }}
diff --git a/dev/auto-approve-dependabot.sh b/dev/auto-approve-dependabot.sh
@@ -111,9 +111,19 @@ echo "$dependabot_prs" | jq -c '.[]' | while read -r pr; do
     fi
     
     if [ "$has_pending_checks" = true ] || [ "$all_checks_pass" = true ]; then
-        echo "  ✅ Adding merge comment to PR #$pr_number"
-        gh pr comment "$pr_number" -R "$REPO" -b "@dependabot merge"
-        echo "  ✅ Merge command issued for PR #$pr_number"
+        # Check if PR is up-to-date with base branch
+        merge_status=$(gh pr view "$pr_number" -R "$REPO" --json mergeStateStatus -q '.mergeStateStatus')
+        
+        if [ "$merge_status" != "CLEAN" ]; then
+            echo "  ⚠️ PR #$pr_number is not up to date (status: $merge_status)"
+        else
+            echo "  ✅ PR #$pr_number is up to date with base branch"
+        fi
+        
+        # Enable auto-merge with squash strategy
+        echo "  ✅ Enabling auto-merge (squash strategy) for PR #$pr_number"
+        gh pr merge "$pr_number" -R "$REPO" --auto --squash
+        echo "  ✅ Auto-merge enabled for PR #$pr_number"
     fi
     
 done
