# This is the workflow to automatically approve and merge dependabot PRs
#
name: Dependabot automation

on:
  pull_request:

concurrency:
  # group: ${{ github.workflow }}_${{ github.head_ref || github.ref || github.run_id }}
  # Use the name of the triggering workflow run as the concurrency group to avoid conccurency issues
  group: ${{ github.workflow }}_${{ github.event.workflow_run.head_branch || github.ref_name || github.run_id }}
  cancel-in-progress: true

# Declare default permissions as read only.
permissions:
  contents: read

jobs:
  dependabot:
    name: '🤖 Dependabot Automation'
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}

    permissions:
      pull-requests: write

    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2.4.0

      - name: Enable auto-merge for Dependabot PRs
        continue-on-error: true
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }} # GH_TOKEN needed to trigger follow up worlflow: https://github.com/fastify/github-action-merge-dependabot/issues/134

      - name: Approve a PR
        continue-on-error: true
        # Auto merge all dependencies with patch or minor version updates
        if: ${{(steps.metadata.outputs.update-type == 'version-update:semver-patch') || (steps.metadata.outputs.update-type == 'version-update:semver-minor')}}
        run: |
          gh pr checkout "$PR_URL" # sets the upstream metadata for `gh pr status`
          if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
          then gh pr review --approve "$PR_URL"
          else echo "PR already approved, skipping additional approvals to minimize emails/notification noise.";
          fi
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }} # GH_TOKEN needed to approve PR as code owner on protected branches
