.github/workflows/reviewer.yml

name: 'Automatically review Dependabot updates'
on:
  pull_request_target:
    types: [ 'opened' ]
env:
  PR_URL: ${{ github.event.pull_request.html_url }}
  GITHUB_TOKEN: ${{ secrets.API_TOKEN }}

jobs:
  review:
    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: write
    steps:
      - id: dependabot-metadata
        name: Fetch Dependabot metadata
        uses: dependabot/fetch-metadata@v2
      - name: Enable auto-merge for Dependabot PRs
        run: gh pr merge --auto --merge "$PR_URL"
      - name: Approve patch and minor version updates
        if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor' }}
        run: gh pr review $PR_URL --approve -b "I'm **approving** this pull request because **it includes a patch or minor update**"
      - name: Assign reviewers for major version updates
        if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major' }}
        run: |
          gh pr comment $PR_URL --body "I'm **not approving** this PR because **it includes a major update of a dependency**"
          gh pr edit $PR_URL --add-reviewer dabico