auto-merge-dependabot.yml

name: auto-merge dependabot updates

on:
  pull_request_target:
    branches: [ main ]
    types:
      - opened
      - synchronize
      - reopened
      - ready_for_review

permissions:
  pull-requests: write
  contents: write

jobs:
  dependabot-merge:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}

    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2.2.0
        with:
          github-token: "${{ secrets.DEPENDABOT_PAT }}"  # Using PAT for enhanced features, alert-lookup, and compat-lookup
          alert-lookup: true    # Enable security alert information
          compat-lookup: true   # Enable compatibility score checking

      - name: Check security and compatibility
        id: security_check
        run: |
          DEPS_JSON='${{ steps.metadata.outputs.updated-dependencies-json }}'
          
          # Perform checks
          if [ "${{ steps.metadata.outputs.alert-state }}" = "OPEN" ]; then
            echo "⚠️ Security alert detected (GHSA: ${{ steps.metadata.outputs.ghsa-id }})"
            echo "CVSS Score: ${{ steps.metadata.outputs.cvss }}"
            echo "is_security_update=true" >> $GITHUB_OUTPUT
          else
            echo "is_security_update=false" >> $GITHUB_OUTPUT
          fi
          
          if [ "${{ steps.metadata.outputs.compatibility-score }}" -lt 75 ]; then
            echo "⚠️ Low compatibility score: ${{ steps.metadata.outputs.compatibility-score }}"
            echo "is_compatible=false" >> $GITHUB_OUTPUT
          else
            echo "is_compatible=true" >> $GITHUB_OUTPUT
          fi
          
          if [ "${{ steps.metadata.outputs.maintainer-changes }}" = "true" ]; then
            echo "⚠️ Maintainer changes detected"
            echo "has_maintainer_changes=true" >> $GITHUB_OUTPUT
          else
            echo "has_maintainer_changes=false" >> $GITHUB_OUTPUT
          fi

      - name: Checkout repository
        uses: actions/checkout@v4
        if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }}

      - name: Setup Go
        uses: actions/setup-go@v5
        if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }}
        with:
          go-version: 'stable'

      - name: Process Go dependencies
        if: ${{ steps.metadata.outputs.package-ecosystem == 'gomod' }}
        run: |
          log_update_details() {
            local pr_number=$1
            echo "::group::Dependency Update Details for PR #$pr_number"
            echo "🔄 Dependencies: ${{ steps.metadata.outputs.dependency-names }}"
            echo "📦 Type: ${{ steps.metadata.outputs.dependency-type }}"
            echo "📈 Version: ${{ steps.metadata.outputs.previous-version }} → ${{ steps.metadata.outputs.new-version }}"
            echo "📂 Directory: ${{ steps.metadata.outputs.directory }}"
            [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ] && \
              echo "🚨 Security update (CVSS: ${{ steps.metadata.outputs.cvss }})"
            echo "::endgroup::"
          }

          echo "🔍 Fetching all Go-related Dependabot PRs..."
          GO_PRS=$(gh pr list \
            --author "dependabot[bot]" \
            --json number,title,createdAt,headRefName \
            --state open \
            --jq 'sort_by(.createdAt) | .[] | select(.title | contains("go.mod"))')

          CURRENT_PR_PROCESSED=false
          
          echo "$GO_PRS" | while read -r pr; do
            PR_NUMBER=$(echo "$pr" | jq -r .number)
            HEAD_BRANCH=$(echo "$pr" | jq -r .headRefName)
            
            log_update_details $PR_NUMBER
            
            # Skip indirect dependencies unless they're security updates
            if [ "${{ steps.metadata.outputs.dependency-type }}" = "indirect" ] && \
               [ "${{ steps.security_check.outputs.is_security_update }}" != "true" ]; then
              echo "⏭️ Skipping indirect dependency update"
              continue
            fi

            # Special handling for security updates
            if [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ]; then
              echo "🚨 Processing security update with priority"
              PRIORITY_MERGE=true
            fi

            git fetch origin $HEAD_BRANCH
            git checkout $HEAD_BRANCH
            git pull origin $HEAD_BRANCH
            
            echo "🛠️ Running go mod tidy for PR #$PR_NUMBER"
            go mod tidy
            
            if git diff --quiet; then
              echo "✨ No changes required for PR #$PR_NUMBER"
            else
              echo "💾 Committing changes for PR #$PR_NUMBER"
              git config --global user.name "GitHub Actions"
              git config --global user.email "actions@github.com"
              git commit -am "chore: go mod tidy for PR #$PR_NUMBER"
              git push origin $HEAD_BRANCH
            fi
            
            # Auto-merge decision logic
            if [ "$PR_NUMBER" = "$CURRENT_PR_NUMBER" ]; then
              CURRENT_PR_PROCESSED=true
              if { [ "$UPDATE_TYPE" != "version-update:semver-major" ] || \
                  [ "${{ steps.security_check.outputs.is_security_update }}" = "true" ]; } && \
                  [ "${{ steps.security_check.outputs.is_compatible }}" = "true" ] && \
                  [ "${{ steps.security_check.outputs.has_maintainer_changes }}" = "false" ]; then
                echo "🤖 Enabling auto-merge for current PR #$PR_NUMBER"
                gh pr merge --auto --merge "$PR_URL"
              fi
            elif [ "$CURRENT_PR_PROCESSED" = false ]; then
              echo "🔄 Processing older PR #$PR_NUMBER first"
              gh pr merge --auto --merge "$PR_NUMBER"
            fi
          done
        env:
          GITHUB_TOKEN: ${{ secrets.DEPENDABOT_PAT }}
          PR_URL: ${{ github.event.pull_request.html_url }}
          CURRENT_PR_NUMBER: ${{ github.event.pull_request.number }}
          UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}

      # Handle other dependencies with security awareness
      - name: Enable auto-merge for pipeline dependencies
        if: |
          steps.security_check.outputs.is_compatible == 'true' &&
          steps.security_check.outputs.has_maintainer_changes == 'false' &&
          (steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.security_check.outputs.is_security_update == 'true') && 
          contains(steps.metadata.outputs.directory, '.github/workflows')
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.DEPENDABOT_PAT}}

      - name: Enable auto-merge for other dependencies
        if: |
          steps.security_check.outputs.is_compatible == 'true' &&
          steps.security_check.outputs.has_maintainer_changes == 'false' &&
          (steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.security_check.outputs.is_security_update == 'true') && 
          steps.metadata.outputs.package-ecosystem != 'gomod' &&
          !contains(steps.metadata.outputs.directory, '.github/workflows')
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.DEPENDABOT_PAT}}