From 24813d528c0399486b44ade0d25f965bb5f525fc Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Wed, 14 Jan 2026 15:37:23 -0500 Subject: [PATCH 1/4] add Depndabot configuration Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- .github/dependabot.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c9a4399 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,19 @@ +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: github-actions + directory: /.github/workflows + schedule: + interval: "semiannually" + groups: + actions: + patterns: + - "*" + update-types: + - patch + - minor + - major + cooldown: + default-days: 7 From ea5818b8fa814427e529bfb164a120fca0dee0b7 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Wed, 14 Jan 2026 15:38:00 -0500 Subject: [PATCH 2/4] add Dependabot minor/patch update auto-approval workflow Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- .github/workflows/auto-approve-dependabot.yml | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/auto-approve-dependabot.yml diff --git a/.github/workflows/auto-approve-dependabot.yml b/.github/workflows/auto-approve-dependabot.yml new file mode 100644 index 0000000..bc1ae8a --- /dev/null +++ b/.github/workflows/auto-approve-dependabot.yml @@ -0,0 +1,71 @@ +name: Dependabot CI Updates + +on: + pull_request: + branches: + - main + types: + - opened + - synchronize + +permissions: + contents: read + +jobs: + dependabot-auto-approve: + name: Auto-approve and auto-merge safe Dependabot updates + runs-on: ubuntu-latest + if: > + github.event.pull_request.user.login == 'dependabot[bot]' && + contains(github.event.pull_request.labels.*.name, 'dependencies') + permissions: + contents: write + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + disable-sudo: true + egress-policy: audit + + - name: Fetch Dependabot metadata + id: dependabot-metadata + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Stop workflow if not minor update or patch update + id: skip-condition + if: > + steps.dependabot-metadata.outputs.update-type != 'version-update:semver-minor' && + steps.dependabot-metadata.outputs.update-type != 'version-update:semver-patch' + run: | + echo "Not a minor or patch update; skipping auto-approval." + echo "skip=true" >> $GITHUB_OUTPUT + + - name: Checkout Repository + if: steps.skip-condition.outputs.skip != 'true' + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + + - name: Approve Changes + if: steps.skip-condition.outputs.skip != 'true' + run: | + decision="$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" + if [ "$decision" != "APPROVED" ]; then + gh pr review --approve "$PR_URL" + else + echo "PR already approved: skipping approval." + fi + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} + + - name: Enable auto-merge on Pull Request + if: steps.skip-condition.outputs.skip != 'true' + run: | + gh pr merge --auto --merge "$PR_URL" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} From fb636bd5cb5706bb54626036b1d65bfe5f3cc55f Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Thu, 15 Jan 2026 16:37:41 -0500 Subject: [PATCH 3/4] use GH_TOKEN, not GITHUB_TOKEN --- .github/workflows/auto-approve-dependabot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auto-approve-dependabot.yml b/.github/workflows/auto-approve-dependabot.yml index bc1ae8a..04454e6 100644 --- a/.github/workflows/auto-approve-dependabot.yml +++ b/.github/workflows/auto-approve-dependabot.yml @@ -59,7 +59,7 @@ jobs: echo "PR already approved: skipping approval." fi env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_URL: ${{ github.event.pull_request.html_url }} - name: Enable auto-merge on Pull Request @@ -67,5 +67,5 @@ jobs: run: | gh pr merge --auto --merge "$PR_URL" env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_URL: ${{ github.event.pull_request.html_url }} From 08804ec8e94e748f97ef753a9230caab10eebb0c Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Thu, 15 Jan 2026 16:39:37 -0500 Subject: [PATCH 4/4] be explicit --- .github/workflows/auto-approve-dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/auto-approve-dependabot.yml b/.github/workflows/auto-approve-dependabot.yml index 04454e6..ebdb017 100644 --- a/.github/workflows/auto-approve-dependabot.yml +++ b/.github/workflows/auto-approve-dependabot.yml @@ -47,6 +47,7 @@ jobs: if: steps.skip-condition.outputs.skip != 'true' uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: + token: ${{ secrets.GITHUB_TOKEN }} persist-credentials: false - name: Approve Changes