IOPZ-2705 Standardize Dependabot automerging

JacobEvelyn · JacobEvelyn · commit ccdf3659aebb · 2024-07-23T15:19:21.000-04:00
This commit updates this repo's `dependabot-prs.yml` to match the
version in our `base-dependabot-automation` repo.
diff --git a/.github/workflows/dependabot-prs.yml b/.github/workflows/dependabot-prs.yml
@@ -21,21 +21,30 @@ jobs:
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}}
+      - name: Add the Needs QA label to dependabots after any change by someone other than the dependabot bot
+        # Need to avoid the situation where someone removes the "Needs QA" label and we are adding it back.
+        if: ${{ github.actor != 'dependabot[bot]' && github.event.action != 'labeled' }}
+        run: gh pr edit "$PR_URL" --add-label "Needs QA"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}}
+      - name: Fetch Dependabot metadata
+        if: ${{ github.actor == 'dependabot[bot]' }}
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v1.1.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Approve and merge Dependabot PRs for development dependencies
         # Auto-merge the PR if either:
         # a) it has the `development-dependencies` label, which we add for certain
         #    categories of PRs (see `.github/dependabot.yml`), OR
         # b) Dependabot has categorized it as a `direct:development` dependency,
-        #    meaning it's in the Gemfile in a `development` or `test` group
-        #
-        # Note that we also do nothing when the PR has already had auto-merge
-        # enabled, to prevent scenarios where this check runs many times (for
-        # instance, because removing `Needs QA` triggers another run, or because
-        # other PRs are merging and causing this to rebase and trigger another
-        # run) and then approves the PR many times, which is confusing and looks
-        # awkward.
-        if: ${{ github.actor == 'dependabot[bot]' && !github.event.pull_request.auto_merge }}
-        run: gh pr merge --auto --merge "$PR_URL" && gh pr review --approve "$PR_URL"
+        #    meaning it's in the Gemfile in a `development` or `test` group, OR
+        # c) our scripts have flagged the PR as an automergeable dependency (i.e
+        #    a stable dependency with good unit test coverage) that has passed
+        #    the waiting period.
+        if: ${{ (github.actor == 'dependabot[bot]' || github.actor == 'panorama-bot-r') && steps.unique-committers.outputs.committers == '["dependabot[bot]"]' && (contains(github.event.pull_request.labels.*.name, 'development-dependencies') || steps.dependabot-metadata.outputs.dependency-type == 'direct:development' || contains(github.event.pull_request.labels.*.name, 'automerge-dependencies')) }}
+        run: gh pr merge --auto --merge "$PR_URL" && gh pr edit "$PR_URL" --remove-label "Needs QA" && gh pr review --approve "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GITHUB_TOKEN: ${{secrets.PANORAMA_BOT_RW_TOKEN}}
