internetee · mmeest · Oct 2, 2025 · Sep 9, 2025 · Sep 9, 2025 · Sep 9, 2025
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -0,0 +1,106 @@
+name: Auto approve & merge Dependabot PRs
+
+on:
+  workflow_run:
+    workflows: ["Github Testing"]
+    types: [completed]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-approve-merge:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success' && github.repository == 'internetee/e_invoice'
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Install GitHub CLI
+        run: |
+          curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
+          echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+          sudo apt update
+          sudo apt install gh
+
+      - name: Check if PR exists and is from Dependabot
+        id: check_pr
+        run: |
+          if [ -z "${{ github.event.workflow_run.pull_requests[0].number }}" ]; then
+            echo "No PR found for this workflow run – skipping job"
+            echo "auto_merge=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          PR_NUMBER=${{ github.event.workflow_run.pull_requests[0].number }}
+          PR_AUTHOR=$(gh pr view $PR_NUMBER --json author --jq '.author.login')
+          BASE_BRANCH=$(gh pr view $PR_NUMBER --json baseRefName --jq '.baseRefName')
+
+          echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+          echo "base_branch=$BASE_BRANCH" >> $GITHUB_OUTPUT
+          echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT
+
+          if [[ "$PR_AUTHOR" != "dependabot[bot]" ]]; then
+            echo "PR is not from Dependabot – skipping merge"
+            echo "auto_merge=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          if [[ "$BASE_BRANCH" != "master" ]]; then
+            echo "PR is not targeting master – skipping merge"
+            echo "auto_merge=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          echo "auto_merge=true" >> $GITHUB_OUTPUT
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Fetch Dependabot metadata
+        if: steps.check_pr.outputs.auto_merge == 'true'
+        id: metadata
+        uses: dependabot/fetch-metadata@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          pull-request-number: ${{ steps.check_pr.outputs.pr_number }}
+
+      - name: Check if PR should be auto-merged (patch only)
+        id: check_patch
+        if: steps.check_pr.outputs.auto_merge == 'true'
+        run: |
+          if [[ "${{ steps.metadata.outputs.update-type }}" == "version-update:semver-patch" ]]; then
+            echo "auto_merge=true" >> $GITHUB_OUTPUT
+            echo "Dependabot patch update detected – will merge"
+          else
+            echo "auto_merge=false" >> $GITHUB_OUTPUT
+            echo "Dependabot non-patch update – skipping merge"
+          fi
+        shell: bash
+
+      - name: Auto approve PR
+        if: steps.check_patch.outputs.auto_merge == 'true'
+        uses: hmarr/auto-approve-action@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-merge PR
+        if: steps.check_patch.outputs.auto_merge == 'true'
+        run: |
+          echo "Attempting to auto-merge PR #${{ steps.check_pr.outputs.pr_number }}"
+          gh pr merge --auto --merge ${{ steps.check_pr.outputs.pr_number }} || {
+            echo "Auto-merge failed, but continuing..."
+            exit 0
+          }
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Send Mattermost notification
+        if: steps.check_patch.outputs.auto_merge == 'true'
+        run: |
+          TIMESTAMP=$(date -u +"%Y-%m-%d %H:%M UTC")
+          curl -X POST -H "Authorization: Bearer ${{ secrets.MATTERMOST_BOT_TOKEN }}" \
+                -H "Content-Type: application/json" \
+                -d "{\"channel_id\":\"${{ secrets.MATTERMOST_CHANNEL_ID }}\",\"message\":\"[${{ github.repository }}] PR #${{ steps.check_pr.outputs.pr_number }}: \\\"${{ github.event.workflow_run.pull_requests[0].title }}\\\" was auto-merged by ${{ steps.check_pr.outputs.pr_author }}.\nUpdate type: ${{ steps.metadata.outputs.update-type || 'patch' }}\nMerged at: $TIMESTAMP\nLink: https://github.com/${{ github.repository }}/pull/${{ steps.check_pr.outputs.pr_number }}\"}" \
+                https://mattermost.example.com/api/v4/posts
+