From 44e4227abe2c674c90bc8a67c55f4fe8f0090cce Mon Sep 17 00:00:00 2001
From: David Trejo <56119+DTrejo@users.noreply.github.com>
Date: Tue, 20 Aug 2024 14:02:59 -0700
Subject: [PATCH] [PRODSEC-6009] Enable dependabot and automerge (#1)

* PRODSEC-6009 Add to dependabot.yml

* PRODSEC-6009 Add dependabot-auto-merge.yml

* PRODSEC-6009 Add dependabot-auto-merge.config.yml

* PRODSEC-6009 Add lockfiles to CODEOWNERS

* Update CODEOWNERS

* Update .github/dependabot.yml
---
 .github/CODEOWNERS                          | 18 ++++++++++
 .github/dependabot-auto-merge.config.yml    | 24 +++++++++++++
 .github/dependabot.yml                      | 38 +++++++++++++++++++++
 .github/workflows/dependabot-auto-merge.yml | 19 +++++++++++
 4 files changed, 99 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/dependabot-auto-merge.config.yml
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/dependabot-auto-merge.yml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..3a8cdbf
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,18 @@
+# * @1debit/$YOUR-GROUP-HERE # Please create a github group for your team so that new contributors will get code reviews quickly!
+#
+# Anyone can edit
+#
+# This allows the @1debitops user to approve PRs and automerge them.
+# If you add someone below, you must also add @1debitops on the same line,
+# otherwise automerge will break.
+# If you wish to not restrict reviewers for these files, but want to get
+# notified on Dependabot PRs, add a "reviewers" section to your dependabot.yml
+Gemfile
+Gemfile.lock
+package.json
+yarn.lock
+package-lock.json
+go.mod
+go.sum
+requirements.txt
+requirements-runtime.txt
diff --git a/.github/dependabot-auto-merge.config.yml b/.github/dependabot-auto-merge.config.yml
new file mode 100644
index 0000000..9611312
--- /dev/null
+++ b/.github/dependabot-auto-merge.config.yml
@@ -0,0 +1,24 @@
+# Safest config:
+# merge minor development dependency updates (won't affect production code)
+- match:
+    dependency_type: development
+    update_type: semver:minor # includes patch updates!
+
+#
+# Good config if you're confident in your test coverage, integration tests, canaries:
+#
+
+# # merge patch production and security dependency updates
+# - match:
+#     dependency_type: production
+#     update_type: semver:patch
+
+# - match:
+#     dependency_type: production
+#     update_type: security:patch
+
+# # Uncomment if you use chime-core:
+# # chime-core is currently versioned as <major>.<date>.<time> (major is set manually, date/time is the build ts)
+# # - match:
+# #     dependency_name: chime-core
+# #     update_type: semver:minor
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..77e479e
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,38 @@
+version: 2
+registries:
+  github-octocat:
+    type: git
+    url: https://github.com
+    username: x-access-token
+    password: "${{secrets.RUBYGEMS_SERVER_GITHUB_TOKEN}}"
+updates:
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: weekly
+    day: tuesday
+    time: '10:00'
+    timezone: America/Los_Angeles
+  pull-request-branch-name:
+    separator: "-"
+  commit-message:
+    prefix: "🔧 "
+    prefix-development: "🔧 "
+    include: scope
+  open-pull-requests-limit: 10
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: weekly
+    day: tuesday
+    time: '10:00'
+    timezone: America/Los_Angeles
+  pull-request-branch-name:
+    separator: "-"
+  commit-message:
+    prefix: "⬆️ "
+    prefix-development: "⬆️ "
+    include: scope
+  open-pull-requests-limit: 10
+  registries:
+  - github-octocat
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
new file mode 100644
index 0000000..6a5b82e
--- /dev/null
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,19 @@
+# see https://github.com/marketplace/actions/dependabot-auto-merge
+name: "Dependabot Automerge"
+
+on: pull_request_target
+
+jobs:
+  auto-merge:
+    if: startsWith(github.head_ref, 'dependabot')
+    runs-on: ubuntu-latest
+    steps:
+      # Check if auto merges/deploys are allowed
+      - name:  Auto Merges/deploys allowed?
+        uses: 1debit/pr-auto-merge-action@v1
+      # Check if PR can be auto-approved
+      - uses: actions/checkout@v3
+      - uses: ahmadnassri/action-dependabot-auto-merge@v2
+        with:
+          github-token: ${{ secrets.DEPENDABOT_AUTO_MERGE }} # 1debitops token
+          config: .github/dependabot-auto-merge.config.yml