on: "pull_request_target"

permissions:
  pull-requests: "write"
  contents: "write"

jobs:
  dependabot:
    runs-on: "ubuntu-latest"
    # Checking the actor will prevent your Action run failing on non-Dependabot
    # PRs but also ensures that it only does work for Dependabot PRs.
    if: "${{ github.actor == 'dependabot[bot]' }}"
    steps:
      # This first step will fail if there's no metadata and so the approval
      # will not occur.
      - name: "Dependabot metadata"
        id: "dependabot-metadata"
        uses: "dependabot/fetch-metadata@v2"
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      # Here the PR gets approved.
      - uses: "actions/checkout@v4"
      - name: "Approve a PR"
        run: "gh pr review --approve $PR_URL"
        env:
          PR_URL: "${{ github.event.pull_request.html_url }}"
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
      # Finally, this sets the PR to allow auto-merging for patch and minor
      # updates if all checks pass
      - name: "Enable auto-merge for Dependabot PRs"
        #if: "${{ steps.dependabot-metadata.outputs.update-type != 'version-update:semver-major' }}"
        run: "gh pr merge --auto --squash $PR_URL"
        env:
          PR_URL: "${{ github.event.pull_request.html_url }}"
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"