I mainly use this action for below use-case when they should run after multiple CI workflows
- Deploy to Firebase/Vercel/Netlify
- Release with GitHub releasing
- Auto approve and merge dependabot PRs without PAT(Personal Access Token)
- Auto approve and merge renovatebot PRs without
platformAutomerge
feature
Assume test jobs defined in another workflow.
name: Merge bot PR after CI
on: pull_request
permissions:
contents: write
pull-requests: write
# checks: read # For private repositories
# actions: read # For private repositories
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@0fb21704c18a42ce5aa8d720ea4b912f5e6babef # v2.0.0
- name: Wait other jobs
if: ${{steps.metadata.outputs.update-type != 'version-update:semver-major'}}
uses: kachick/wait-other-jobs@2e18e23fce3e7bc76cfb125b4a75acd091c84347 # v2.0.3
timeout-minutes: 10
- name: Approve and merge
if: ${{steps.metadata.outputs.update-type != 'version-update:semver-major'}}
run: gh pr review --approve "$PR_URL" && gh pr merge --auto --squash --delete-branch "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
renovate:
runs-on: ubuntu-latest
if: ${{ github.actor == 'renovate[bot]' }}
steps:
- name: Wait other jobs
uses: kachick/wait-other-jobs@2e18e23fce3e7bc76cfb125b4a75acd091c84347 # v2.0.3
timeout-minutes: 10
- name: Approve and merge
run: gh pr review --approve "$PR_URL" && gh pr merge --auto --squash --delete-branch "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
I used a way to comment @dependabot merge
in past. This is simple to ensure CI passed.
However it requires PAT(Personal Access Token).
PAT could't be reduced the permission scope to repository.
And it requires annoy steps to generate, sets and maintains tokens even if refined with beta version.
This action provides another way. It checks other workflows/jobs statuses in actions with GITHUB_TOKEN.
If you use GITHUB_TOKEN as above, make sure two options are enabled
https://github.com/OWNER/REPO/settings
=> Allow auto-merge
How to enable with gh CLI
gh repo edit OWNER/REPO --enable-auto-merge
https://github.com/OWNER/REPO/settings/actions
=> Allow GitHub Actions to create and approve pull requests
How to enable with gh CLI
gh api \
--method PUT \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/OWNER/REPO/actions/permissions/workflow \
-F can_approve_pull_request_reviews=true
See GitHub Blog for further detail.
- Above merging logics are written in GitHub official docs. However GITHUB_TOKEN merged commit does not trigger new workflows even if defined as "push". So the badges will not be shown in commit history of default branch :<
automerge
is slow. platformAutomerge
requires many repository settings.
When you feel no issues around that, do not need to migrate to this action.
It requires many changes in repository settings around Allow auto-merge
, Require status checks to pass before merging
and specify the checked workflow name.
Especially specifying mandatory CI names in all personal repositories are annoy task to me.
If we are talking only about organizations, hashicorp/terraform might resolve it easier.