Dependabot automerge (#94)

* Testing auto merge * Update v4 action * Short circuit when only .github touches
2025-12-16 18:14:44 -06:00 · 2025-12-15 16:48:12 -06:00
parent 0319dbf407
commit 7ff36eb2e5
4 changed files with 96 additions and 38 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,12 +3,8 @@ name: CI
 on:
  pull_request:
    branches: [main]
-    paths-ignore:
-      - '.github/**'
  push:
    branches: [main]
-    paths-ignore:
-      - '.github/**'

 jobs:
  lint-and-test:
@@ -17,22 +13,39 @@ jobs:
    steps:
      - uses: actions/checkout@v6
      
+      - id: changes
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            run_ci:
+              - '!**/.github/**'
+
+      - name: Skip (only .github changes)
+        if: steps.changes.outputs.run_ci != 'true'
+        run: echo "Skipping CI for .github-only change."
+      
      - uses: pnpm/action-setup@v4
+        if: steps.changes.outputs.run_ci == 'true'
        with:
          version: latest
          
      - uses: actions/setup-node@v6
+        if: steps.changes.outputs.run_ci == 'true'
        with:
          node-version: '22'
          cache: 'pnpm'
          
      - run: pnpm install --frozen-lockfile
+        if: steps.changes.outputs.run_ci == 'true'
      
      - name: Lint
+        if: steps.changes.outputs.run_ci == 'true'
        run: pnpm lint
        
      - name: Test
+        if: steps.changes.outputs.run_ci == 'true'
        run: pnpm test
        
      - name: Build
+        if: steps.changes.outputs.run_ci == 'true'
        run: pnpm build
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -3,10 +3,6 @@ name: CodeQL
 on:
  pull_request:
    branches: [ main ]
-    paths:
-      - 'src/**'
-      - 'package.json'
-      - 'pnpm-lock.yaml'
  schedule:
    - cron: '0 2 * * 1'  # Weekly on Mondays

@@ -19,15 +15,30 @@ jobs:
      security-events: write

    steps:
-    - uses: actions/checkout@v6
+      - uses: actions/checkout@v6

-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
-      with:
-        languages: javascript
+      - id: changes
+        if: github.event_name == 'pull_request'
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            run_analysis:
+              - '!**/.github/**'

-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v4
+      - name: Skip (only .github changes)
+        if: github.event_name == 'pull_request' && steps.changes.outputs.run_analysis != 'true'
+        run: echo "Skipping CodeQL for .github-only change."

-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      - name: Initialize CodeQL
+        if: github.event_name != 'pull_request' || steps.changes.outputs.run_analysis == 'true'
+        uses: github/codeql-action/init@v4
+        with:
+          languages: javascript
+
+      - name: Autobuild
+        if: github.event_name != 'pull_request' || steps.changes.outputs.run_analysis == 'true'
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL Analysis
+        if: github.event_name != 'pull_request' || steps.changes.outputs.run_analysis == 'true'
+        uses: github/codeql-action/analyze@v4
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,26 @@
+name: Dependabot Auto Merge
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions:
+  pull-requests: write
+  contents: write
+
+jobs:
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Auto-approve Dependabot PR
+        uses: hmarr/auto-approve-action@v4
+
+      - name: Enable auto-merge for Dependabot PR
+        uses: actions/dependabot-auto-merge@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          merge-method: squash
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -3,16 +3,8 @@ name: Security
 on:
  push:
    branches: [ main ]
-    paths:
-      - 'src/**'
-      - 'package.json'
-      - 'pnpm-lock.yaml'
  pull_request:
    branches: [ main ]
-    paths:
-      - 'src/**'
-      - 'package.json'
-      - 'pnpm-lock.yaml'
  schedule:
    - cron: '0 6 * * 1'  # Weekly on Mondays

@@ -20,20 +12,36 @@ jobs:
  dependency-scan:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6
+      - uses: actions/checkout@v6
    
-    - name: Setup Node.js
-      uses: actions/setup-node@v6
-      with:
-        node-version: '22'
+      - id: changes
+        if: github.event_name != 'schedule'
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            run_scan:
+              - '!**/.github/**'
+
+      - name: Skip (only .github changes)
+        if: github.event_name != 'schedule' && steps.changes.outputs.run_scan != 'true'
+        run: echo "Skipping security audit for .github-only change."
+    
+      - name: Setup Node.js
+        if: github.event_name == 'schedule' || steps.changes.outputs.run_scan == 'true'
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
        
-    - name: Setup pnpm
-      uses: pnpm/action-setup@v4
-      with:
-        version: latest
+      - name: Setup pnpm
+        if: github.event_name == 'schedule' || steps.changes.outputs.run_scan == 'true'
+        uses: pnpm/action-setup@v4
+        with:
+          version: latest
        
-    - name: Install dependencies
-      run: pnpm install
+      - name: Install dependencies
+        if: github.event_name == 'schedule' || steps.changes.outputs.run_scan == 'true'
+        run: pnpm install
      
-    - name: Run security audit
-      run: pnpm audit --audit-level moderate
+      - name: Run security audit
+        if: github.event_name == 'schedule' || steps.changes.outputs.run_scan == 'true'
+        run: pnpm audit --audit-level moderate