ci: added dependabot (#27)

jeroenvervaeke · web-flow · commit 8e2c50496c04 · 2025-10-16T11:17:44.000+01:00
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,60 @@
+version: 2
+updates:
+  # Enable version updates for Rust/Cargo dependencies
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "chore(deps)"
+    labels:
+      - "dependencies"
+    # Group updates by type to separate security from version updates
+    groups:
+      rust-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+      rust-version-updates:
+        applies-to: version-updates
+        patterns:
+          - "*"
+
+  # Enable version updates for npm/JavaScript packages
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "chore(deps)"
+    labels:
+      - "dependencies"
+    # Group updates by type to separate security from version updates
+    groups:
+      npm-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+      npm-version-updates:
+        applies-to: version-updates
+        patterns:
+          - "*"
+
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+    labels:
+      - "dependencies"
diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml
@@ -0,0 +1,81 @@
+name: Dependabot Auto-Approve
+
+on: pull_request
+
+permissions:
+  pull-requests: write
+  contents: write
+
+env:
+  CARGO_ABOUT_VERSION: 0.8.2
+
+jobs:
+  auto-approve:
+    runs-on: ubuntu-latest
+    if: |
+      github.repository == 'mongodb/atlas-local-lib-js' &&
+      github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Checkout PR
+        uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+
+      - name: Install Rust toolchain
+        run: |
+          rustup update stable
+          rustup default stable
+
+      - name: Cache cargo tools
+        uses: actions/cache@v4
+        with:
+          path: ~/.cargo/bin
+          key: ${{ runner.os }}-cargo-tools-about-${{ env.CARGO_ABOUT_VERSION }}
+          restore-keys: |
+            ${{ runner.os }}-cargo-tools-
+
+      - name: Install cargo-about
+        run: |
+          if ! command -v cargo-about &> /dev/null; then
+            cargo install --locked --version ${{ env.CARGO_ABOUT_VERSION }} cargo-about
+          fi
+
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      
+      - name: Update third-party licenses
+        if: steps.metadata.outputs.package-ecosystem == 'cargo'
+        run: |
+          # Generate updated LICENSE-3RD-PARTY.txt
+          cargo about generate about.hbs > LICENSE-3RD-PARTY.txt
+          
+          # Check if there are changes to commit
+          if ! git diff --quiet LICENSE-3RD-PARTY.txt; then
+            git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git config --local user.name "github-actions[bot]"
+            git add LICENSE-3RD-PARTY.txt
+            git commit -m "chore(deps): update LICENSE-3RD-PARTY.txt"
+            git push
+            echo "Updated LICENSE-3RD-PARTY.txt"
+          else
+            echo "LICENSE-3RD-PARTY.txt is already up to date"
+          fi
+
+      - name: Approve Dependabot PR
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' || contains(steps.metadata.outputs.dependency-names, 'security') || steps.metadata.outputs.package-ecosystem == 'github_actions'
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: Enable auto-merge for Dependabot PR
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' || contains(steps.metadata.outputs.dependency-names, 'security') || steps.metadata.outputs.package-ecosystem == 'github_actions'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
