🤖 Auto approve go dep PRs by dependabot

Signed-off-by: Christian Zunker <christian@mondoo.com>

.github/workflows/dependabot-auto-approve.yaml

@@ -0,0 +1,33 @@
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#approve-a-pull-request
+name: Dependabot auto-approve
+on: pull_request
+
+permissions:
+ pull-requests: write
+
+jobs:
+ dependabot:
+ runs-on: ubuntu-latest
+ if: github.actor == 'dependabot[bot]'
+ steps:
+ - name: Dependabot metadata
+ id: metadata
+ uses: dependabot/fetch-metadata@v2
+ with:
+ github-token: "${{ secrets.GITHUB_TOKEN }}"
+ # Different tests get triggered in different ways for PRs
+ # To prevent a merge before all tests had the chance to run, we wait a bit.
+ # This should prevent merges where, e.g., only the CLA or lint test was sucessful
+ # and the other tests didn't even start
+ # When this does not work, we might also use workflow_run/workflow_call after the tests
+ - name: Wait 10 min for all checks to start
+ run: sleep 600
+ - name: Approve a PR
+ # For now, we only auto approve and merge go PRs because we have tests for this in place.
+ if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'go' }}
+ # Settings the comment will auto merge the PR after tests passed
+ # https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#managing-dependabot-pull-requests-with-comment-commands
+ run: gh pr review --comment "@dependabot squash and merge" --approve "$PR_URL"
+ env:
+ PR_URL: ${{github.event.pull_request.html_url}}
+ GH_TOKEN: ${{secrets.GITHUB_TOKEN}}