Bump next from 16.1.5 to 16.2.3 in the npm_and_yarn group across 1 directory #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot auto-merge | |
| # Auto-enables merge on Dependabot PRs for patch + minor bumps. | |
| # Major bumps stay open for manual review. | |
| # | |
| # Required setup (one-time, in repo settings): | |
| # 1. Settings → General → Pull Requests → "Allow auto-merge" ✓ | |
| # 2. (optional but recommended) Branch protection on main with the | |
| # CI status check marked Required. Otherwise merge fires immediately | |
| # without waiting for CI. | |
| # | |
| # Uses pull_request_target rather than pull_request because Dependabot | |
| # PRs are treated as fork PRs by default, so pull_request runs with a | |
| # read-only GITHUB_TOKEN that can't enable auto-merge. pull_request_target | |
| # is safe here because we never check out or run PR-side code — we only | |
| # read metadata from the GitHub API. | |
| on: | |
| pull_request_target: | |
| types: [opened, reopened, synchronize] | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| auto-merge: | |
| name: Enable auto-merge for patch + minor bumps | |
| runs-on: ubuntu-latest | |
| if: github.actor == 'dependabot[bot]' | |
| steps: | |
| - name: Get Dependabot metadata | |
| id: metadata | |
| uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Enable auto-merge (patch + minor) | |
| if: | | |
| steps.metadata.outputs.update-type == 'version-update:semver-patch' || | |
| steps.metadata.outputs.update-type == 'version-update:semver-minor' | |
| run: gh pr merge --auto --squash "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Comment on major bumps | |
| if: steps.metadata.outputs.update-type == 'version-update:semver-major' | |
| run: | | |
| gh pr comment "$PR_URL" --body "🛑 Major version bump — auto-merge skipped, please review manually. | |
| - Package: \`${{ steps.metadata.outputs.dependency-names }}\` | |
| - From: \`${{ steps.metadata.outputs.previous-version }}\` | |
| - To: \`${{ steps.metadata.outputs.new-version }}\`" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |