chore(ci/cd): auto dependabot auto merge

.github/workflows/auto-merge.yml

@@ -1,68 +1,28 @@
-name: Dependabot PR auto-merge
+# @see https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
 
-on:
+name: Dependabot auto-merge
+on: 
   workflow_run:
-    workflows: [on-pull-request]
-    types: ["completed"]
+    workflows: ["on-pull-request"]
+    types: [completed]
+
+permissions:
+  pull-requests: write
+  contents: write
 
 jobs:
-  auto-merge:
-    name: Auto-merge
+  dependabot:
     runs-on: ubuntu-latest
-    # Run this only when the previous workflow was successfull & the initial actor was dependabot
-    if: ${{ github.event.workflow_run.conclusion == 'success' && github.actor == 'dependabot[bot]' }}
+    if: ${{ github.actor == 'dependabot[bot]' && github.event.workflow_run.conclusion == 'success' }}
     steps:
-      - uses: actions/checkout@v2
-      - name: Download PR artifact
-        uses: actions/github-script@v5
-        with:
-          script: |
-            const fs = require('fs');
-
-            // Get all artifacts
-            const artifacts = await github.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: ${{github.event.workflow_run.id }},
-            });
-
-            // Identify the artifact of the PR
-            const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "pr"
-            })[0];
-
-            // Download the actual artifact
-            const download = await github.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-
-            // Write it to disk
-            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
-      - name: Unzip artifact
-        run: unzip pr.zip
-      - name: Merge PR
-        uses: actions/github-script@v5
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/[email protected]
         with:
-          script: |
-            const fs = require('fs');
-            const pullNumber = Number(fs.readFileSync('./NR'));
-
-            // Create a review
-            github.pulls.createReview({
-              owner: context.payload.repository.owner.login,
-              repo: context.payload.repository.name,
-              pull_number: pullNumber,
-              event: 'APPROVE'
-            })
-
-            // Merge PR
-            github.pulls.merge({
-              owner: context.payload.repository.owner.login,
-              repo: context.payload.repository.name,
-              pull_number: pullNumber,
-              merge_method: 'squash'
-            })
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+        if: ${{steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'}}
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}