auto merge dependabot updates

[tjenkinson]

Why:

There isn't an existing issue, but I thought this was small enough it probably doesn't need one.

This action (disclaimer: I wrote it) will automerge dependabot PRs that do not contain a major version change when required checks pass. Thought it might be useful.

What's being changed:

Adds an action to automerge dependebot PR's.

Check off the following:

• All of the tests are passing.
• I have reviewed my changes in staging.
• For content changes, I have reviewed the localization checklist
• For content changes, I have reviewed the Content style guide for GitHub Docs.

[welcome]

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[zeke]

Hi @tjenkinson 👋🏼

Thanks for opening the PR. I think you may be the first external contributor to open a pull request on this newly-public repository! 🎁

I love the idea of this change, and agree that we should automate things like @dependabot PRs. But we also need to be careful about adding third-party Actions to our codebase without first conducting a security audit. I'll need to discuss this with the @github/docs-engineering team to figure out how we'd like to proceed. We'll get back to you soon.

[tjenkinson]

Awesome! Thanks for the speedy reply :)

No rush. It works well for me but no worries if you go with something else.

[zeke]

I discussed this with the team and I think we'll be able accept this change, but first: #180

[zeke]

Update: I audited the code at https://github.com/tjenkinson/gh-action-auto-merge-dependency-updates/blob/0882a8edde9070b608c8f19837f2a545bf6f2c28/src/run.ts#L61-L64 and it looks reasonable to me. 👍🏼

@tjenkinson if you can now add your Action to .github/allowed-actions.js, this should turn green again:

tjenkinson/gh-action-auto-merge-dependency-updates@0882a8e

Once that's done, we can ship it!

[tjenkinson]

Done! I’m not sure if it will work properly right now though actually because it looks like a reviewer is required so it still might not have permission to merge automatically?

[tjenkinson]

Looks like on #286 for example the bot also approves the pr, but not sure where that’s happening from. Can add an option for that to the action if needed

[tjenkinson]

I updated it to a newer version that will now also first approve the PR

[zeke]

Nice! Let's give it a go.

[zeke]

@all-contributors please add @tjenkinson for code

[allcontributors]

@zeke

I've put up a pull request to add @tjenkinson! 🎉