diff --git a/.github/workflows/automerge-global.yml b/.github/workflows/automerge-global.yml new file mode 100644 index 0000000..ada9b08 --- /dev/null +++ b/.github/workflows/automerge-global.yml @@ -0,0 +1,72 @@ +--- +name: Approve and Auto-Merge Pull Request + +# This re-usable workflow helps to approve and enable automerge of pull requests if it's made by an author. + +on: + workflow_call: + inputs: + author-name: + type: string + default: renovate[bot] + +jobs: + approve-and-auto-merge: + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + + - name: Generate token for GitHub + id: generate-github-token + uses: camunda/infra-global-github-actions/generate-github-app-token-from-vault-secrets@f5bbd25c97507d6d2a884eebecaa804a6e34b15f # f5bbd25c97507d6d2a884eebecaa804a6e34b15f + with: + github-app-id-vault-key: GITHUB_APP_ID + github-app-id-vault-path: secret/data/products/infrastructure-experience/ci/common + github-app-private-key-vault-key: GITHUB_APP_PRIVATE_KEY + github-app-private-key-vault-path: secret/data/products/infrastructure-experience/ci/common + vault-auth-method: approle + vault-auth-role-id: ${{ secrets.VAULT_ROLE_ID }} + vault-auth-secret-id: ${{ secrets.VAULT_SECRET_ID }} + vault-url: ${{ secrets.VAULT_ADDR }} + + - name: Check author and type of change + id: check-major + run: | + : # we don't rely on github.actor as it's the latest person to schedule/trigger the workflow. + pr_author="$(gh pr view ${{ github.event.pull_request.number }} --json author --jq '.author.login')" + + if [ "$pr_author" = "${{ inputs.author-name }}" ]; then + echo "skip=false" | tee -a "$GITHUB_ENV" + else + echo "This PR was not created by ${{ inputs.author-name }}, skipping auto approval." + echo "skip=true" | tee -a "$GITHUB_ENV" + exit 0 + fi + + : # prevent major changes from auto merge + branch_name="$(git rev-parse --abbrev-ref HEAD)" + if echo "$branch_name" | grep -q -i 'major'; then + echo "This PR is related to major changes. Skipping approval and auto-merge." + echo "skip=true" | tee -a "$GITHUB_ENV" + else + echo "This PR does not involve major changes." + echo "skip=false" | tee -a "$GITHUB_ENV" + fi + env: + GH_TOKEN: ${{ steps.generate-github-token.outputs.token }} + + - name: Approve Pull Request and auto-merge + if: env.skip == 'false' + run: | + echo "Waiting 30s to ensure that the pipeline train is running" + sleep 30s + + : # Approve the PR and add a comment with workflow reference + workflow_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" + gh pr review ${{ github.event.pull_request.number }} --approve + gh pr comment ${{ github.event.pull_request.number }} --body "This PR has been approved and will be auto-merged by the GitHub Actions workflow if all conditions are met and tests pass. The PR does not involve major changes. Workflow run: [See details](${workflow_url})" + gh pr merge ${{ github.event.pull_request.number }} --auto --squash + env: + GH_TOKEN: ${{ steps.generate-github-token.outputs.token }} diff --git a/.github/workflows/renovate-automerge.yml b/.github/workflows/renovate-automerge.yml new file mode 100644 index 0000000..4d580d6 --- /dev/null +++ b/.github/workflows/renovate-automerge.yml @@ -0,0 +1,11 @@ +--- +name: Renovate Auto Merge + +on: + pull_request: + types: [opened, reopened, ready_for_review] + +jobs: + lint: + uses: ./.github/workflows/automerge-global.yml + secrets: inherit