Chore: [AEA-0000] - add workflow to approve dependabot (#1)

anthony-nhs · web-flow · commit a4b46cbe5a5d · 2026-04-14T10:38:09.000+01:00
## Summary

- Routine Change

### Details

- add workflow to approve dependabot
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,5 +1,5 @@
 {
-  "name": "eps-account-resources",
+  "name": "eps-dependabot-approve",
   "build": {
     "dockerfile": "Dockerfile",
     "context": "..",
@@ -39,7 +39,7 @@
         "vitest.explorer"
       ],
       "settings": {
-        "python.defaultInterpreterPath": "/workspaces/electronic-prescription-service-account-resources/.venv/bin/python",
+        "python.defaultInterpreterPath": "${containerWorkspaceFolder}/.venv/bin/python",
         "python.analysis.autoSearchPaths": true,
         "python.analysis.extraPaths": [],
         "python.testing.unittestEnabled": false,
diff --git a/.gitallowed b/.gitallowed
@@ -2,10 +2,12 @@ token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
 github-token: ?"?\$\{\{\s*secrets\.GITHUB_TOKEN\s*\}\}"?
 token: ?"?\$\{\{\s*secrets\.DEPENDABOT_TOKEN\s*\}\}"?
 id-token: write
+id-token: "write"
 --token=\$\{\{\s*steps\.generate-token\.outputs\.token\s*\}\}
 --token=\$GITHUB-TOKEN
 --token="\$GITHUB-TOKEN"
 "accountId": "123456789012"
 accountId: "123456789012"
 "AWSAccountId": "123456789012"
 poetry.lock
+\.gitallowed
diff --git a/.github/config/settings.yml b/.github/config/settings.yml
@@ -0,0 +1 @@
+TAG_FORMAT: "v${version}"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,40 @@
+name: ci
+
+on:
+  push:
+    branches: [main]
+permissions: {}
+jobs:
+  get_config_values:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: "read"
+      contents: "read"
+      packages: "read"
+    with:
+      verify_published_from_main_image: true
+
+  quality_checks:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    needs: [get_config_values]
+    permissions:
+      contents: "read"
+      packages: "read"
+      id-token: "write"
+    with:
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  tag_release:
+    needs: [get_config_values]
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      id-token: "write"
+      contents: "write"
+      packages: "write"
+    with:
+      dry_run: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+      branch_name: main
+      tag_format: ${{ needs.get_config_values.outputs.tag_format }}
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -0,0 +1,54 @@
+name: pull_request
+
+on:
+  pull_request:
+    branches: [main]
+permissions: {}
+jobs:
+  get_config_values:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: "read"
+      contents: "read"
+      packages: "read"
+    with:
+      verify_published_from_main_image: false
+
+  dependabot-auto-approve-and-merge:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      contents: "write"
+      pull-requests: "write"
+    secrets:
+      AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
+      AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
+
+  quality_checks:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    needs: [get_config_values]
+    permissions:
+      contents: "read"
+      packages: "read"
+      id-token: "write"
+    with:
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  pr_title_format_check:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      pull-requests: "write"
+
+  tag_release:
+    needs: [get_config_values]
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      id-token: "write"
+      contents: "write"
+      packages: "write"
+    with:
+      dry_run: true
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+      branch_name: ${{ github.event.pull_request.head.ref }}
+      tag_format: ${{ needs.get_config_values.outputs.tag_format }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,41 @@
+name: release
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 8 * * 3"
+permissions: {}
+jobs:
+  get_config_values:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      attestations: "read"
+      contents: "read"
+      packages: "read"
+    with:
+      verify_published_from_main_image: true
+
+  quality_checks:
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    needs: [get_config_values]
+    permissions:
+      contents: "read"
+      packages: "read"
+      id-token: "write"
+    with:
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+    secrets:
+      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  tag_release:
+    needs: [get_config_values, quality_checks]
+    uses: NHSDigital/eps-common-workflows/.github/workflows/tag-release-devcontainer.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929
+    permissions:
+      id-token: "write"
+      contents: "write"
+      packages: "write"
+    with:
+      dry_run: false
+      pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
+      branch_name: main
+      tag_format: ${{ needs.get_config_values.outputs.tag_format }}
diff --git a/Makefile b/Makefile
@@ -15,7 +15,6 @@ install-hooks: install-python
 
 install: install-python install-hooks
 	echo "Not implemented yet"
-	exit 1
 
 install-node:
 	echo "Not implemented yet"
@@ -27,11 +26,9 @@ compile:
 
 lint:
 	echo "Not implemented yet"
-	exit 1
 
 test:
 	echo "Not implemented yet"
-	exit 1
 
 # include common targets
 %:
diff --git a/README.md b/README.md
@@ -1,6 +1,56 @@
-# Electronic Prescriptions Service template repo
+# Electronic Prescriptions Service dependabot approve
+
+Composite GitHub Action to automatically approve and enable auto-merge for trusted dependency update pull requests.
+This will be called from each repo on a scheduled basis
+
+## What this action does
+
+This action:
+
+1. Lists open pull requests in the current repository.
+2. Filters pull requests to only include those where:
+   - the head commit signature is verified, and
+   - the commit author is either `dependabot[bot]` or `eps-create-pull-request[bot]`.
+3. Approves each eligible pull request.
+4. Enables auto-merge using squash merge for each eligible pull request.
+
+## Inputs
+
+| Name | Required | Description |
+| --- | --- | --- |
+| `AUTOMERGE_APP_ID` | Yes | GitHub App ID used to authenticate and approve pull requests. |
+| `AUTOMERGE_PEM` | Yes | Private key for the GitHub App in PEM format. |
+
+## Usage
+
+```yaml
+name: Auto-approve dependency updates
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '*/30 * * * *'
+
+jobs:
+  auto-approve-dependabot:
+    runs-on: ubuntu-22.04
+    environment: create_pull_request
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Auto approve and enable auto-merge
+        uses: NHSDigital/eps-dependabot-approve@db39aa18bf6b1ce317219661299a91c572689bb7
+        with:
+          AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }}
+          AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }}
+```
+
+## Notes
+
+- Pull requests that do not meet the verification and bot-author checks are skipped.
+- If no pull requests are eligible, the action completes without approving or merging anything.
 
-# THIS SHOULD BE UPDATED WHEN IT IS USED AS A TEMPLATE FOR A NEW REPO
 
 ## Contributing
 
diff --git a/action.yml b/action.yml
@@ -0,0 +1,64 @@
+name: Auto approve dependabot pull request
+description: "Automatically approves dependabot pull requests."
+inputs:
+  AUTOMERGE_APP_ID:
+    description: "GitHub App ID for approving pull requests"
+    required: true
+  AUTOMERGE_PEM:
+    description: "Private key for the GitHub App in PEM format"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Create GitHub App Token
+      uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859
+      id: generate-token
+      with:
+        app-id: "${{ inputs.AUTOMERGE_APP_ID }}"
+        private-key: "${{ inputs.AUTOMERGE_PEM }}"
+
+    - name: Find eligible pull requests
+      id: find-prs
+      shell: bash
+      env:
+        REPO: ${{ github.repository }}
+        GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+      run: |
+        set -euo pipefail
+
+        mapfile -t pr_numbers < <(gh pr list --repo "$REPO" --state open --json number --jq '.[].number')
+
+        eligible_pr_urls=()
+
+        for pr_number in "${pr_numbers[@]}"; do
+          read -r pr_url head_sha < <(gh pr view "$pr_number" --repo "$REPO" --json url,headRefOid --jq '[.url, .headRefOid] | @tsv')
+          read -r author_login is_verified is_cross_repository < <(gh api "/repos/$REPO/commits/$head_sha" --jq '[.author.login // "", (.commit.verification.verified // false), (.commit.verification.reason // "")] | @tsv')
+
+          if [[ "$is_cross_repository" == "false" ]] && [[ "$is_verified" == "true" ]] && [[ "$author_login" == "dependabot[bot]" || "$author_login" == "eps-create-pull-request[bot]" ]]; then
+            eligible_pr_urls+=("$pr_url")
+          fi
+        done
+
+        echo "Found ${#eligible_pr_urls[@]} eligible pull request(s) for approval and merging."
+        printf '%s\n' "${eligible_pr_urls[@]}"
+
+        {
+          echo "pr_urls<<EOF"
+          printf '%s\n' "${eligible_pr_urls[@]}"
+          echo "EOF"
+        } >> "$GITHUB_OUTPUT"
+
+    - name: Approve and merge updates
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        while IFS= read -r PR_URL; do
+          [[ -z "$PR_URL" ]] && continue
+
+          gh pr review "$PR_URL" --approve -b "I'm **approving** this pull request"
+          gh pr merge --auto --squash "$PR_URL"
+        done <<< "${PR_URLS}"
+      env:
+        GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        PR_URLS: ${{ steps.find-prs.outputs.pr_urls }}
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,17 +1,17 @@
 [project]
 python = "^3.14"
-name = "CHANGE_ME"
+name = "eps-dependabot-approve"
 
 [tool.poetry]
-name = "CHANGE_ME"
-description = "CHANGE_ME"
+name = "eps-dependabot-approve"
+description = "eps-dependabot-approve"
 version = "0.0.1-alpha"
 authors = [
   "EPS Team <eps.tem@nhs.net>"
 ]
 readme = "README.md"
 license = "MIT"
-repository = "https://github.com/NHSDigital/CHANGE_ME"
+repository = "https://github.com/NHSDigital/eps-dependabot-approve"
 package-mode = false
 
 [tool.poetry.dependencies]
