github-auto-merge [2.1.0]

A github custom action to fetch a Github token from vault, approve the PR and enable auto merge for the PR so that once it passes all the PR checks it will be merged.

Requirements

• The repo has to have "Allow auto-merge" (in repo settings) checked in order to work
• In addition the main (or master) branch being merged to should have branch protection rules. For example, when a branch protection rule enforces "Require pull request reviews before merging" or "Require status checks to pass before merging".
• The repo has to ask for dependabot policy for github-action service in .contentful/vault-secrets.yaml file. This way Vault knows that it can grant the required token. More info to be added, example here

Usage

You will need to create or modify your .contentful/vault-secrets.yaml config to include the dependabot policy for the github-action service e.g:

version: 1
services:
  github-action:
    policies:
      - dependabot

To reference the action, create a workflow in your project in .github/workflows/ e.g.

.github/workflows/dependabot-approve-and-request-merge.yml:

name: "dependabot approve-and-request-merge"

on: pull_request_target

jobs:
  worker:
    permissions:
      contents: write
      id-token: write
      pull-requests: write
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
      - uses: contentful/github-auto-merge@v2
        with:
          VAULT_URL: ${{ secrets.VAULT_URL }} # this is an organisation level secret, you do not need to add it to your repo

You can see an example in this repo example.yml

If you already have an existing dependabot-approve-and-request-merge.yml workflow, you can simply replace the contents with the updated configuration.

Publishing a new version of the action

Releases are automated via release-please. Merge a commit following Conventional Commits to main (e.g. feat:, fix:) and release-please will open a release PR. Merging that PR creates the GitHub release and tag automatically.