From fead2674a4e22d5ec0668e92bd69c7010041a995 Mon Sep 17 00:00:00 2001
From: Simone Busoli <simone.busoli@gmail.com>
Date: Wed, 3 Mar 2021 09:02:44 +0100
Subject: [PATCH] feat: approve only (#9)

---
 .github/dependabot.yml   | 10 ++++++++++
 .github/workflows/ci.yml | 10 ++++++++++
 .prettierrc              |  4 ++++
 README.md                | 36 +++++++++++++++++++-----------------
 action.yml               |  8 ++++++--
 src/index.js             | 31 ++++++++++++++++++++++++-------
 src/util.js              |  3 ++-
 7 files changed, 75 insertions(+), 27 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/ci.yml
 create mode 100644 .prettierrc

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..60dd0661
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: '/'
+    schedule:
+      interval: daily
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 00000000..b8b3b0de
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,10 @@
+name: CI
+on: pull_request
+jobs:
+  approve:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: fastify/github-action-merge-dependabot@v1.1.1
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          approve-only: true
diff --git a/.prettierrc b/.prettierrc
new file mode 100644
index 00000000..fd496a82
--- /dev/null
+++ b/.prettierrc
@@ -0,0 +1,4 @@
+{
+  "singleQuote": true,
+  "semi": false
+}
diff --git a/README.md b/README.md
index 8218d596..34d78cd2 100644
--- a/README.md
+++ b/README.md
@@ -1,24 +1,28 @@
 # Github Action Merge Dependabot
 
-This action automatically merges dependabot PRs.
+This action automatically approves and merges dependabot PRs.
 
 ## Inputs
 
 ### `github-token`
 
-**Required** A github token.
+**Required** A GitHub token.
 
 ### `exclude`
 
-*Optional* An array of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not.
+_Optional_ An array of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not.
+
+### `approve-only`
+
+_Optional_ If `true`, the PR is only approved but not merged. Defaults to `false`.
 
 ### `merge-method`
 
-*Optional* The merge method you would like to use (squash, merge, rebase). Default to `squash` merge.
+_Optional_ The merge method you would like to use (squash, merge, rebase). Default to `squash` merge.
 
 ### `merge-comment`
 
-*Optional* An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're recieving too much of noise in email and would like to filter mails for PRs that got automatically merged.
+_Optional_ An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're recieving too much of noise in email and would like to filter mails for PRs that got automatically merged.
 
 ## Example usage
 
@@ -29,8 +33,7 @@ on: [push, pull_request]
 jobs:
   build:
     runs-on: ubuntu-latest
-    steps:
-      ...
+    steps: # ...
 
   automerge:
     needs: build
@@ -39,23 +42,22 @@ jobs:
       - uses: fastify/github-action-merge-dependabot@v1
         if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request' }}
         with:
-          github-token: ${{secrets.github_token}}
+          github-token: ${{secrets.GITHUB_TOKEN}}
 ```
 
 **Note**
 
-- The `github_token` is automatically provided by Github Actions, which we access using `secrets.github_token` and supply to the action as an input `github-token`.
+- The GitHub token is automatically provided by Github Actions, which we access using `secrets.GITHUB_TOKEN` and supply to the action as an input `github-token`.
+- This action must be used in the context of a Pull Request. If the workflow can be triggered by other events (e.g. push), make sure to include `github.event_name == 'pull_request'` in the action conditions, as shown in the example.
 - Make sure to use `needs: <jobs>` to delay the auto-merging until CI checks (test/build) are passed.
 
 ## With `exclude`
 
 ```yml
-...
-    steps:
-      - uses: fastify/github-action-merge-dependabot@v1
-        if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request' }}
-        with:
-          github-token: ${{secrets.github_token}}
-          exclude: ['material-ui']
-...
+steps:
+  - uses: fastify/github-action-merge-dependabot@v1
+    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request' }}
+    with:
+      github-token: ${{secrets.github_token}}
+      exclude: ['react']
 ```
diff --git a/action.yml b/action.yml
index 1433d9f1..0f1cee3d 100644
--- a/action.yml
+++ b/action.yml
@@ -1,12 +1,16 @@
 name: "Github Action Merge Dependabot"
-description: "Automatically merge dependabot PRs"
+description: "Automatically approve and merge dependabot PRs"
 inputs:
   github-token:
-    description: "A GitHub token."
+    description: "A GitHub token"
     required: true
   exclude:
     description: "Packages that you want to manually review before upgrading"
     required: false
+  approve-only:
+    description: "If true, the PR is only approved but not merged"
+    required: false
+    default: false
   merge-method:
     description: "The merge method you would like to use (squash, merge, rebase)"
     required: false
diff --git a/src/index.js b/src/index.js
index a72d5cbb..438ec2b5 100644
--- a/src/index.js
+++ b/src/index.js
@@ -4,13 +4,26 @@ const github = require('@actions/github')
 const { logInfo } = require('./log')
 const { getInputs } = require('./util')
 
-const { GITHUB_TOKEN, MERGE_METHOD, EXCLUDE_PKGS, MERGE_COMMENT } = getInputs()
+const {
+  GITHUB_TOKEN,
+  MERGE_METHOD,
+  EXCLUDE_PKGS,
+  MERGE_COMMENT,
+  APPROVE_ONLY,
+} = getInputs()
 
-async function run () {
+async function run() {
   try {
     const octokit = github.getOctokit(GITHUB_TOKEN)
 
     const { repository, pull_request: pr } = github.context.payload
+
+    if (!pr) {
+      throw new Error(
+        'This action must be used in the context of a Pull Request'
+      )
+    }
+
     const owner = repository.owner.login
     const repo = repository.name
     const prNumber = pr.number
@@ -18,28 +31,32 @@ async function run () {
     const isDependabotPR = pr.user.login === 'dependabot[bot]'
 
     if (!isDependabotPR) {
-      return logInfo('Not dependabot PR, skip merging.')
+      return logInfo('Not dependabot PR, skipping.')
     }
 
     // dependabot branch names are in format "dependabot/npm_and_yarn/pkg-0.0.1"
     const pkgName = pr.head.ref.split('/').pop().split('-').shift()
 
     if (EXCLUDE_PKGS.includes(pkgName)) {
-      return logInfo(`${pkgName} is excluded, skip merging.`)
+      return logInfo(`${pkgName} is excluded, skipping.`)
     }
 
     await octokit.pulls.createReview({
       owner,
       repo,
       pull_number: prNumber,
-      event: 'APPROVE'
+      event: 'APPROVE',
     })
 
+    if (APPROVE_ONLY) {
+      return logInfo('Approving only.')
+    }
+
     await octokit.pulls.merge({
       owner,
       repo,
       pull_number: prNumber,
-      merge_method: MERGE_METHOD
+      merge_method: MERGE_METHOD,
     })
 
     if (MERGE_COMMENT) {
@@ -47,7 +64,7 @@ async function run () {
         owner,
         repo,
         issue_number: prNumber,
-        body: MERGE_COMMENT
+        body: MERGE_COMMENT,
       })
     }
   } catch (error) {
diff --git a/src/util.js b/src/util.js
index 246c7f76..f694961d 100644
--- a/src/util.js
+++ b/src/util.js
@@ -23,5 +23,6 @@ exports.getInputs = () => ({
   GITHUB_TOKEN: core.getInput('github-token', { required: true }),
   MERGE_METHOD: getMergeMethod(),
   EXCLUDE_PKGS: core.getInput('exclude') || [],
-  MERGE_COMMENT: core.getInput('merge-comment') || ''
+  MERGE_COMMENT: core.getInput('merge-comment') || '',
+  APPROVE_ONLY: core.getInput('approve-only')
 })