name: Dependabot Auto-Approve

on:
  pull_request:
    branches: [main]

permissions:
  contents: read
  pull-requests: write

jobs:
  approve:
    name: Auto-Approve
    # Use github.event.pull_request.user.login, not github.actor.
    # github.actor reflects the last actor on the trigger and is spoofable
    # via a PR whose HEAD commit author is 'dependabot[bot]'. The
    # pull_request.user.login is the PR opener and cannot be spoofed.
    # https://docs.zizmor.sh/audits/#bot-conditions
    if: github.event.pull_request.user.login == 'dependabot[bot]'
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - name: Generate app token
        id: app-token
        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.APP_PRIVATE_KEY }}
          # Read PR metadata and submit the approving review. Nothing else.
          permission-pull-requests: write

      - name: Fetch Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98
        with:
          github-token: ${{ steps.app-token.outputs.token }}

      - name: Auto-approve patch and minor updates
        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3
        env:
          UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}
          DEPENDENCY_NAMES: ${{ steps.metadata.outputs.dependency-names }}
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          script: |
            await github.rest.pulls.createReview({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.payload.pull_request.number,
              event: 'APPROVE',
              body: `Auto-approved: ${process.env.UPDATE_TYPE} update for ${process.env.DEPENDENCY_NAMES}.`,
            });
