Automerge Dependency Updates

jrjohnson · jrjohnson · commit 1d39288e83e8 · 2021-10-22T14:32:10.000-07:00
Our tests are super good, there isn't any reason to manually review
things that pass tests. The only risk is supply chain attacks and those
are best circumvented be waiting a while between merging and releasing.
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -0,0 +1,16 @@
+name: Dependabot auto-merge
+on: pull_request_target
+permissions:
+  pull-requests: write
+  contents: write
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Enable auto-merge for Dependabot PRs
+        uses: peter-evans/enable-pull-request-automerge@v1
+        with:
+          pull-request-number: ${{github.event.pull_request.number}}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          merge-method: merge
diff --git a/.github/workflows/update-transitive-dependenies.yaml b/.github/workflows/update-transitive-dependenies.yaml
@@ -0,0 +1,43 @@
+name: Update Transitive Dependencies
+
+on:
+  schedule:
+    - cron: '15 11 * * 0' # weekly, on Sunday morning (UTC)
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: Tests
+    runs-on: macos-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      with:
+        node-version: 14
+    - name: remove and re-create lock file
+      run: |
+        rm package-lock.json
+        npm install
+    - name: Create Pull Request
+      id: cpr
+      uses: peter-evans/create-pull-request@v3
+      with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Update Transitive Dependencies
+          title: Update Transitive Dependencies
+          body: |
+            - Dependency updates
+
+            Auto-generated by [create-pull-request][1]
+
+            [1]: https://github.com/peter-evans/create-pull-request
+          branch: auto-update-dependencies
+          labels: dependencies
+    - name: Enable Pull Request Automerge
+      if: steps.cpr.outputs.pull-request-operation == 'created'
+      uses: peter-evans/enable-pull-request-automerge@v1
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
+        merge-method: merge
