Skip to content

Latest commit

 

History

History
103 lines (79 loc) · 5.03 KB

examples.md

File metadata and controls

103 lines (79 loc) · 5.03 KB

Example

I mainly use this action for below use-case when they should run after multiple CI workflows

Auto merge

Assume test jobs defined in another workflow.

name: Merge bot PR after CI
on: pull_request

permissions:
  contents: write
  pull-requests: write
  # checks: read # For private repositories
  # actions: read # For private repositories

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@0fb21704c18a42ce5aa8d720ea4b912f5e6babef # v2.0.0
      - name: Wait other jobs
        if: ${{steps.metadata.outputs.update-type != 'version-update:semver-major'}}
        uses: kachick/wait-other-jobs@2e18e23fce3e7bc76cfb125b4a75acd091c84347 # v2.0.3
        timeout-minutes: 10
      - name: Approve and merge
        if: ${{steps.metadata.outputs.update-type != 'version-update:semver-major'}}
        run: gh pr review --approve "$PR_URL" && gh pr merge --auto --squash --delete-branch "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

  renovate:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'renovate[bot]' }}
    steps:
      - name: Wait other jobs
        uses: kachick/wait-other-jobs@2e18e23fce3e7bc76cfb125b4a75acd091c84347 # v2.0.3
        timeout-minutes: 10
      - name: Approve and merge
        run: gh pr review --approve "$PR_URL" && gh pr merge --auto --squash --delete-branch "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

GITHUB_TOKEN vs PAT

I used a way to comment @dependabot merge in past. This is simple to ensure CI passed.
However it requires PAT(Personal Access Token).
PAT could't be reduced the permission scope to repository.
And it requires annoy steps to generate, sets and maintains tokens even if refined with beta version.

This action provides another way. It checks other workflows/jobs statuses in actions with GITHUB_TOKEN.

If you use GITHUB_TOKEN as above, make sure two options are enabled

https://github.com/OWNER/REPO/settings => Allow auto-merge

How to enable with gh CLI

gh repo edit OWNER/REPO --enable-auto-merge

https://github.com/OWNER/REPO/settings/actions => Allow GitHub Actions to create and approve pull requests

How to enable with gh CLI

gh api \
  --method PUT \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  /repos/OWNER/REPO/actions/permissions/workflow \
  -F can_approve_pull_request_reviews=true

See GitHub Blog for further detail.

Cons

Why avoid automerge and platformAutomerge provided by renovate official?

automerge is slow. platformAutomerge requires many repository settings.

When you feel no issues around that, do not need to migrate to this action.
It requires many changes in repository settings around Allow auto-merge, Require status checks to pass before merging and specify the checked workflow name.
Especially specifying mandatory CI names in all personal repositories are annoy task to me.
If we are talking only about organizations, hashicorp/terraform might resolve it easier.