Bump github/codeql-action/init from 4.36.2 to 4.36.3 #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto-merge Dependabot PRs | |
| # pull_request_target is required so we can approve/merge with the elevated | |
| # GITHUB_TOKEN. We never check out PR code, and the if: filter on | |
| # github.event.pull_request.user.login is server-enforced and cannot be spoofed. | |
| on: # zizmor: ignore[dangerous-triggers] | |
| pull_request_target: | |
| types: [opened, reopened] | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| auto-merge: | |
| runs-on: ubuntu-latest | |
| if: github.event.pull_request.user.login == 'dependabot[bot]' | |
| steps: | |
| - uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3 | |
| id: metadata | |
| - name: Approve and auto-merge trusted dependencies | |
| if: | | |
| startsWith(steps.metadata.outputs.dependency-names, 'actions/') || | |
| startsWith(steps.metadata.outputs.dependency-names, 'github/') | |
| run: | | |
| gh pr review "$PR_URL" --approve | |
| gh pr merge "$PR_URL" --auto --squash | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} |