[TASK] Auto-merge dependabot PRs

.github/dependabot.yml

@@ -8,3 +8,27 @@ updates:
     commit-message:
       prefix: "[DEP]"
       prefix-development: "[DEP-DEV]"
+
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    registries:
+      - composer
+    commit-message:
+      prefix: "[DEP]"
+      prefix-development: "[DEP-DEV]"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    commit-message:
+      prefix: "[DEP]"
+
+registries:
+  composer:
+    type: composer-repository
+    url: https://repo.packagist.com/typo3gmbh/
+    username: token
+    password: ${{secrets.PACKAGIST_AUTH_TOKEN}}

.github/workflows/ci.yml

@@ -7,6 +7,20 @@ on:
       - develop
   pull_request:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  id-token: write
+  packages: read
+  pull-requests: write
+  repository-projects: read
+  statuses: write
+
 jobs:
   build-php:
     name: Build ${{ matrix.php }} / ${{ matrix.symfony }}
@@ -26,31 +40,32 @@ jobs:
           - symfony: '^5.4'
             deprecations: ''
     steps:
-
       - name: Checkout
         uses: actions/checkout@v3
 
+      - uses: ouzi-dev/commit-status-updater@v2
+
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php }}
           extensions: mbstring, xml, ctype, iconv
           coverage: none
 
-      - name: Get Composer Cache Directory
+      - name: Setup Composer cache
         id: composer-cache
         run: |
           echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
-      - name: Cache composer dependencies
+      - name: Recover Composer caches
         uses: actions/cache@v3
         with:
           path: ${{ steps.composer-cache.outputs.dir }}
-          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock', '**/composer.json') }}
           restore-keys: |
             ${{ runner.os }}-composer-
 
-      - name: Install
+      - name: Install dependencies (Composer)
         run: |
           sed -ri 's/"symfony\/dependency-injection": "(.+)"/"symfony\/dependency-injection": "'${{ matrix.symfony }}'"/' composer.json;
           sed -ri 's/"symfony\/form": "(.+)"/"symfony\/form": "'${{ matrix.symfony }}'"/' composer.json;
@@ -78,25 +93,38 @@ jobs:
           git status
           git status | grep -q "nothing to commit, working tree clean"
 
+      - uses: ouzi-dev/commit-status-updater@v2
+        if: always()
+        with:
+          status: "${{ job.status }}"
+
   build-frontend:
     name: Build Frontend
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: NPM Cache
+      - uses: ouzi-dev/commit-status-updater@v2
+
+      - name: Setup npm cache
+        id: npm-cache-dir
+        shell: bash
+        run: |
+          echo "dir=$(npm config get cache)" >> ${GITHUB_OUTPUT}
+
+      - name: Recover npm caches
         uses: actions/cache@v3
         with:
-          path: ~/.npm
+          path: ${{ steps.npm-cache-dir.outputs.dir }}
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
           restore-keys: |
             ${{ runner.os }}-node-
 
-      - name: NPM Install
+      - name: Install dependencies (npm)
         run: npm ci
 
-      - name: NPM Build
+      - name: Build frontend artifacts
         run: npm run build
 
       - name: Stylelint
@@ -106,3 +134,8 @@ jobs:
         run: |
           git status
           git status | grep -q "nothing to commit, working tree clean"
+
+      - uses: ouzi-dev/commit-status-updater@v2
+        if: always()
+        with:
+          status: "${{ job.status }}"

.github/workflows/dependabot-auto-merge.yaml

@@ -0,0 +1,44 @@
+name: Dependabot auto-merge
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v1.3.1
+
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Approve patch and minor updates
+        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor'}}
+        run: gh pr review $PR_URL --approve -b "I'm **approving** this pull request because **it includes a patch or minor update**"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Approve major updates of development dependencies
+        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:development'}}
+        run: gh pr review $PR_URL --approve -b "I'm **approving** this pull request because **it includes a major update of a dependency used only in development**"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+      - name: Comment on major updates of non-development dependencies
+        if: ${{steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' && steps.dependabot-metadata.outputs.dependency-type == 'direct:production'}}
+        run: |
+          gh pr comment $PR_URL --body "I'm **not approving** this PR because **it includes a major update of a dependency used in production**"
+          gh pr edit $PR_URL --add-label "requires-manual-qa"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}