feat: use external application for approving and merging

.eslintignore

@@ -0,0 +1 @@
+dist/

.eslintrc

@@ -0,0 +1,14 @@
+{
+  "extends": "eslint:recommended",
+  "env": {
+    "node": true,
+    "es6": true
+  },
+  "parserOptions": {
+    "sourceType": "script",
+    "ecmaVersion": 2020
+  },
+  "rules": {
+    "strict": ["error", "global"]
+  }
+}

.github/dependabot.yml

@@ -4,7 +4,10 @@ updates:
     directory: '/'
     schedule:
       interval: daily
-  - package-ecosystem: "github-actions"
-    directory: "/"
+    ignore:
+      - dependency-name: 'husky'
+        versions: ['5.x']
+  - package-ecosystem: 'github-actions'
+    directory: '/'
     schedule:
-      interval: "daily"
+      interval: 'daily'

.github/workflows/ci.yml

@@ -4,7 +4,7 @@ jobs:
   approve:
     runs-on: ubuntu-latest
     steps:
-      - uses: fastify/github-action-merge-dependabot@v1.2.1
+      - uses: fastify/github-action-merge-dependabot@main
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           approve-only: true

.gitignore

@@ -1 +1,2 @@
 .vscode
+node_modules/

README.md

@@ -24,6 +24,10 @@ _Optional_ The merge method you would like to use (squash, merge, rebase). Defau
 
 _Optional_ An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're recieving too much of noise in email and would like to filter mails for PRs that got automatically merged.
 
+### `api-url`
+
+_Optional_ A custom url where the external API which is delegated the task of approving and merging responds.
+
 ## Example usage
 
 ### Basic example
@@ -35,46 +39,41 @@ on: [push, pull_request]
 jobs:
   build:
     runs-on: ubuntu-latest
-    steps: # ...
+    steps:
+      # ...
 
   automerge:
     needs: build
     runs-on: ubuntu-latest
     steps:
-      - uses: fastify/github-action-merge-dependabot@v1
-        if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request' }}
+      - uses: fastify/github-action-merge-dependabot@v2
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
 ```
 
-### With `exclude`
+### Excluding packages
 
 ```yml
 steps:
-  - uses: fastify/github-action-merge-dependabot@v1
-    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request' }}
+  - uses: fastify/github-action-merge-dependabot@v2
     with:
-      github-token: ${{secrets.github_token}}
+      github-token: ${{ secrets.GITHUB_TOKEN }}
       exclude: ['react']
 ```
 
+### Approving without merging
+
+```yml
+steps:
+  - uses: fastify/github-action-merge-dependabot@v2
+    with:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+      approve-only: true
+```
+
 ## Notes
 
 - A GitHub token is automatically provided by Github Actions, which can be accessed using `secrets.GITHUB_TOKEN` and supplied to the action as an input `github-token`.
 - Only the [GitHub native Dependabot integration](https://docs.github.com/en/github/administering-a-repository/keeping-your-dependencies-updated-automatically) is supported, the old [Dependabot Preview app](https://github.com/marketplace/dependabot-preview) isn't.
-- This action must be used in the context of a Pull Request. If the workflow can be triggered by other events (e.g. push), make sure to include `github.event_name == 'pull_request'` in the action conditions, as shown in the example.
 - Make sure to use `needs: <jobs>` to delay the auto-merging until CI checks (test/build) are passed.
 - If you want to use GitHub's [auto-merge](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/automatically-merging-a-pull-request) feature but still use this action to approve Pull Requests without merging, use `approve-only: true`.
-
-## Limitations
-
-One known limitation of using a GitHub action with the built-in GitHub Token to automatically merge Pull Requests is that the result of the merge will not trigger a workflow run.
-
-What this means in practice is that after this action merges a Pull Request, no workflows are run on the commit made to the target branch.
-
-This is a known behavior described in the [documentation](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token) which prevents triggering of recursive workflow runs.
-
-Alternative options are:
-
-- use a personal access token, as described in the documentation
-- use this action only for approving and using GitHub's auto-merge to merge Pull Requests

action.yml

@@ -1,24 +1,28 @@
-name: "Github Action Merge Dependabot"
-description: "Automatically approve and merge dependabot PRs"
+name: 'Github Action Merge Dependabot'
+description: 'Automatically approve and merge dependabot PRs'
 inputs:
   github-token:
-    description: "A GitHub token"
+    description: 'A GitHub token'
     required: true
   exclude:
-    description: "Packages that you want to manually review before upgrading"
+    description: 'Packages that you want to manually review before upgrading'
     required: false
   approve-only:
-    description: "If true, the PR is only approved but not merged"
+    description: 'If true, the PR is only approved but not merged'
     required: false
     default: false
   merge-method:
-    description: "The merge method you would like to use (squash, merge, rebase)"
+    description: 'The merge method you would like to use (squash, merge, rebase)'
     required: false
-    default: "squash"
+    default: 'squash'
   merge-comment:
     description: "An arbitrary message that you'd like to comment on the PR after it gets auto-merged"
     required: false
-    default: ""
+    default: ''
+  api-url:
+    description: 'Url of the API where the application is running'
+    required: false
+    default: 'https://dependabot-merge-action-app.herokuapp.com/'
 runs:
-  using: "node12"
-  main: "src/index.js"
+  using: 'node12'
+  main: 'dist/index.js'