Skip to content

build(deps): bump the github-actions group with 2 updates #1

build(deps): bump the github-actions group with 2 updates

build(deps): bump the github-actions group with 2 updates #1

name: 'Linuxfabrik: Dependabot auto-merge'
on:
pull_request: {}
permissions: 'read-all'
env:
# Lockfiles that have no `directory:` entry in `.github/dependabot.yml`
# because upstream packages keep raising their minimum Python. Dependabot
# security updates ignore that allowlist, so a bump can still show up here.
FROZEN_LOCKFILES: '["/lockfiles/py39", "/lockfiles/py310"]'
jobs:
auto-merge:
runs-on: 'ubuntu-latest'
if: 'github.actor == ''dependabot[bot]'''
permissions:
contents: 'write'
pull-requests: 'write'
steps:
- uses: 'dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98' # v3.1.0
id: 'meta'
# A bump against a frozen lockfile is left open for a human. Dependabot
# does not honour `Requires-Python`, so it may propose a version that
# drops the interpreter the lockfile exists for (py39 -> RHEL 8, RHEL 9,
# Debian 11; py310 -> Ubuntu 22.04). It may equally propose a security
# fix that still supports it. Only a human can tell the two apart, so
# the PR is neither merged nor closed. Regenerate the lockfile with
# `pip-compile` on a matching Python host once the bump is accepted.
- if: >-
contains(fromJSON(env.FROZEN_LOCKFILES), steps.meta.outputs.directory)
&& github.event.action == 'opened'
run: |
gh pr comment "$PR_URL" --body "Not auto-merged: \`${DIRECTORY}\` is frozen because Dependabot does not honour \`Requires-Python\`. Check whether \`${DEPENDENCY}\` still supports that lockfile's interpreter. If it does, regenerate the lockfile with \`pip-compile\` on a matching Python host. Either way, close this PR afterwards."
env:
DEPENDENCY: '${{ steps.meta.outputs.dependency-names }}'
DIRECTORY: '${{ steps.meta.outputs.directory }}'
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
PR_URL: '${{ github.event.pull_request.html_url }}'
- if: >-
!contains(fromJSON(env.FROZEN_LOCKFILES), steps.meta.outputs.directory)
&& (steps.meta.outputs.update-type == 'version-update:semver-patch'
|| steps.meta.outputs.update-type == 'version-update:semver-minor')
run: 'gh pr merge --auto --squash "$PR_URL"'
env:
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
PR_URL: '${{ github.event.pull_request.html_url }}'