I have created Workflow for GitHub Actions as described here: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions
name: Dependabot auto-approve
on: pull_request_target
permissions:
contents: write
pull-requests: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Approve a PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Enable auto-merge for Dependabot PRs
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
# The documentation incorrectly forgets `GITHUB_TOKEN` here.
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
Above automation works, but I have a Branch protection rule that requires review from the Code Owners.
Is there a way to include github-actions to the CODEOWNERS file in order to make its approval counted?
As of right now, a GitHub app cannot be added to CODEOWNERS as quoted here.
Thank you for being here! Currently, GitHub Apps can’t be used in CODEOWNERS – that’s not supported. It’s something the team is considering for the future, and I’ll be sure to add your use case to the internal feature request.
However, what you can do, is to use a GitHub personal access token generated by yourself as explained in the documentation here, then add it as a secret and use it in your workflow. See the GitHub Documentation .
The last step of your action would then reference your self-defined secret. In the below example, I assume it's called MYTOKEN
- name: Enable auto-merge for Dependabot PRs
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
# The documentation incorrectly forgets `GITHUB_TOKEN` here.
GITHUB_TOKEN: ${{secrets.MYTOKEN}}
With this approach, a merge would be done as your user, who is - I assume - part of the CODEOWNERS.