Skip to content

Update Angular to v22, adopt OnPush, and modernize tooling #77

Update Angular to v22, adopt OnPush, and modernize tooling

Update Angular to v22, adopt OnPush, and modernize tooling #77

name: "Approve Dependabot PR's"
on:
workflow_dispatch:
pull_request:
permissions:
contents: read
jobs:
dependabot-check:
runs-on: ubuntu-latest
if: always() # this job needs to run because we use it as a required workflow
permissions:
contents: read
pull-requests: read
outputs:
ecosystem: ${{ steps.metadata.outputs.package-ecosystem }}
update-type: ${{ steps.metadata.outputs.update-type }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Load Dependabot metadata
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
id: metadata
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 #v3.1.0
with:
github-token: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}
- name: Show Dependabot metadata info
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
run: |
echo "Found ecosystem: [${{ steps.metadata.outputs.package-ecosystem }}]"
echo "Found update-type: [${{ steps.metadata.outputs.update-type }}]"
- name: Empty step so the job has something to do as it is used as a required workflow
run: echo "Not happy about it, but the job has to run"
dependabot-actions:
runs-on: ubuntu-latest
needs: dependabot-check
permissions:
contents: write
pull-requests: write
actions: write #the updates for this ecosystem will push to the .github/workflows folder
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Show needs values
run: |
echo "Got eecosystem: [${{ needs.dependabot-check.outputs.ecosystem }}]"
echo "Got update-type: [${{ needs.dependabot-check.outputs.update-type }}]"
- name: Approve the PR
if: (github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions') && (needs.dependabot-check.outputs.update-type == 'version-update:semver-minor' || needs.dependabot-check.outputs.update-type == 'version-update:semver-patch')
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GH_TOKEN }}
- name: Enable auto-merge for Dependabot PRs
if: github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions'
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}
dependabot-other:
runs-on: ubuntu-latest
needs: dependabot-check
if: always() # this job needs to run because we use it as a required workflow
permissions:
contents: write
pull-requests: write
actions: read #the updates for this ecosystem will NOT push to the .github/workflows folder
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Approve the PR
if: (github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions') && (needs.dependabot-check.outputs.update-type == 'version-update:semver-minor' || needs.dependabot-check.outputs.update-type == 'version-update:semver-patch')
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GH_TOKEN }}
- name: Enable auto-merge for Dependabot PRs
if: (github.event.pull_request.user.login == 'dependabot[bot]' || needs.dependabot-check.outputs.ecosystem == 'github-actions') && (needs.dependabot-check.outputs.update-type == 'version-update:semver-minor' || needs.dependabot-check.outputs.update-type == 'version-update:semver-patch')
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}
not-dependabot:
runs-on: ubuntu-latest
if: always() # this job needs to run because we use it as a required workflow
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Empty step
if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
run: echo "Hello user! We needed a job to run in this required workflow, or it prohibits merging" | tee "$GITHUB_STEP_SUMMARY"