chore: auto approve dependabot (#16777)

On occasion, dependabot will create PR's that fix security vulnerabilities. This is regardless of whether we have a dependabot configuration in the repo. > See "Dependabot security updates" in https://github.com/aws/aws-cdk/settings/security_analysis Right now, these PR's are not getting auto-approved because they don't container the `auto-approve` label. Unfortunately these PR are not configurable and we cannot add this label. As discussed in the team, we decided to forgo the label requirement for these PR and allow dependabot to be merged given all checks pass. This PR changes the auto approve conditions to allow either one of: - PR comes from `dependabot[bot]` user. - PR comes from the `dependabot-preview[bot]` user. - PR comes from the `aws-cdk-automation` user **AND** PR has the `auto-approve` label. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Oct 13, 2021 · 7c73880 · 7c73880
1 parent 76c305d
commit 7c73880
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
@@ -8,10 +8,10 @@ on:
 jobs:
   auto-approve:
     if: >
-       contains(github.event.pull_request.labels.*.name, 'pr/auto-approve') &&
-       (github.event.pull_request.user.login == 'aws-cdk-automation'
-        || github.event.pull_request.user.login == 'dependabot[bot]'
-        || github.event.pull_request.user.login == 'dependabot-preview[bot]')
+       github.event.pull_request.user.login == 'dependabot[bot]'
+        || github.event.pull_request.user.login == 'dependabot-preview[bot]'
+        || (contains(github.event.pull_request.labels.*.name, 'pr/auto-approve')
+            && github.event.pull_request.user.login == 'aws-cdk-automation')
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write