Build(deps): Bump frequenz-floss/gh-action-setup-python-with-deps from 0d0d77eac3b54799f31f25a1060ef2c6ebdf9299 to e4d0b2ef8f5a1612d7827f3abaef17c931d2b946 #25
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto-merge Dependabot PR | |
| on: | |
| # XXX: !!! SECURITY WARNING !!! | |
| # pull_request_target has write access to the repo, and can read secrets. We | |
| # need to audit any external actions executed in this workflow and make sure no | |
| # checked out code is run (not even installing dependencies, as installing | |
| # dependencies usually can execute pre/post-install scripts). We should also | |
| # only use hashes to pick the action to execute (instead of tags or branches). | |
| # For more details read: | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| pull_request_target: | |
| permissions: | |
| # Read repository contents and Dependabot metadata used by the nested action. | |
| contents: read | |
| # The nested action also uses `github.token` internally for PR operations. | |
| pull-requests: write | |
| jobs: | |
| auto-merge: | |
| name: Auto-merge Dependabot PR | |
| if: > | |
| github.actor == 'dependabot[bot]' && | |
| !contains(github.event.pull_request.title, 'the repo-config group') && | |
| !contains(github.event.pull_request.title, 'Bump black from ') | |
| runs-on: ubuntu-slim | |
| steps: | |
| - name: Generate GitHub App token | |
| id: app-token | |
| uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 | |
| with: | |
| app-id: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_ID }} | |
| private-key: ${{ secrets.FREQUENZ_AUTO_DEPENDABOT_APP_PRIVATE_KEY }} | |
| # Merge Dependabot PRs. | |
| permission-contents: write | |
| # Create the auto-merged label if it does not exist. | |
| permission-issues: write | |
| # Approve PRs, add labels, and enable auto-merge. | |
| permission-pull-requests: write | |
| - name: Auto-merge Dependabot PR | |
| uses: frequenz-floss/dependabot-auto-approve@e943399cc9d76fbb6d7faae446cd57301d110165 # v1.5.0 | |
| with: | |
| github-token: ${{ steps.app-token.outputs.token }} | |
| dependency-type: 'all' | |
| auto-merge: 'true' | |
| merge-method: 'merge' | |
| add-label: 'tool:auto-merged' |