ci(dependabot): 配置依赖自动更新和自动合并

2026-04-02 12:52:23 +08:00
parent f270bbd685
commit f2e6876bf4
2 changed files with 98 additions and 0 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,58 @@
 version: 2
 updates:
  - package-ecosystem: npm
    directory: /
    target-branch: main
    schedule:
      interval: weekly
      day: monday
      time: '09:00'
      timezone: Asia/Shanghai
    open-pull-requests-limit: 10
    labels:
      - dependencies
      - npm
    commit-message:
      prefix: chore
      include: scope
    groups:
      security-updates:
        applies-to: security-updates
        patterns:
          - '*'
      npm-minor-patch:
        applies-to: version-updates
        patterns:
          - '*'
        update-types:
          - minor
          - patch
  - package-ecosystem: github-actions
    directory: /
    target-branch: main
    schedule:
      interval: weekly
      day: monday
      time: '09:15'
      timezone: Asia/Shanghai
    open-pull-requests-limit: 10
    labels:
      - dependencies
      - github-actions
    commit-message:
      prefix: ci
      include: scope
    groups:
      security-updates:
        applies-to: security-updates
        patterns:
          - '*'
      github-actions-minor-patch:
        applies-to: version-updates
        patterns:
          - '*'
        update-types:
          - minor
          - patch
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,40 @@
 name: Dependabot Auto Merge
 on:
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
 permissions:
  contents: write
  pull-requests: write
 concurrency:
  group: dependabot-auto-merge-${{ github.event.pull_request.number }}
  cancel-in-progress: true
 jobs:
  auto_merge:
    if: github.event.pull_request.user.login == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Fetch Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Enable auto-merge for patch and minor updates
        if: |
          steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
          steps.metadata.outputs.update-type == 'version-update:semver-minor'
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Keep major updates for manual review
        if: steps.metadata.outputs.update-type == 'version-update:semver-major'
        run: echo "Major version update detected. Auto-merge is intentionally disabled."