From 2f660aff15cbf2291ff114f490136b83e9eff980 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Budai?= Date: Tue, 17 Oct 2023 14:45:08 +0200 Subject: [PATCH] github: Merge dependabot PRs as a proper bot account Currently, we merge these PRs as the default GitHub Actions bot account. However, I'm fairly sure that this bot account cannot spawn new actions as a protection against recursive actions. Thus, the merge train will fail because no actions will be spawned for it since the train was created by the default bot. This commit uses the Schutzbot's token in order to create the merge train. This should allow GitHub to create the neccessary workflows when Schutzbot auto-merges the PR. Since secrets are not available on pull_request workflows, I changed the trigger to pull_request_target. This shouldn't have any other effects on the workflow. --- .github/workflows/auto-merge-dependabot.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/auto-merge-dependabot.yml b/.github/workflows/auto-merge-dependabot.yml index 3ae9bb516b..f5e014fbb4 100644 --- a/.github/workflows/auto-merge-dependabot.yml +++ b/.github/workflows/auto-merge-dependabot.yml @@ -1,7 +1,7 @@ # Taken from https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#common-dependabot-automations name: Dependabot auto-approve and auto-merge -on: pull_request +on: pull_request_target permissions: write-all @@ -14,10 +14,10 @@ jobs: run: gh pr review --approve "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + GITHUB_TOKEN: ${{secrets.SCHUTZBOT_GITHUB_ACCESS_TOKEN}} - name: Enable auto-merge for Dependabot PRs run: gh pr merge --auto --rebase "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + GITHUB_TOKEN: ${{secrets.SCHUTZBOT_GITHUB_ACCESS_TOKEN}}