From 67fc10d1d543636711f04fb845e7b7ba707962b9 Mon Sep 17 00:00:00 2001
From: Falk Puschner <falk.puschner@staffbase.com>
Date: Tue, 7 Nov 2023 19:24:20 +0100
Subject: [PATCH] :art: Using github app for auto merge

---
 .../template_automerge_dependabot.yml         | 20 +++++++++++++++--
 README.md                                     | 22 ++++++++++++++++++-
 2 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/template_automerge_dependabot.yml b/.github/workflows/template_automerge_dependabot.yml
index 09a3021..2d17e95 100644
--- a/.github/workflows/template_automerge_dependabot.yml
+++ b/.github/workflows/template_automerge_dependabot.yml
@@ -3,6 +3,11 @@ name: Dependabot Auto-Merge
 
 on:
   workflow_call:
+    secrets:
+      app_id:
+        required: false
+      private_key:
+        required: false
 
 jobs:
   dependabot:
@@ -11,12 +16,23 @@ jobs:
     runs-on: ubuntu-22.04
     if: github.actor == 'dependabot[bot]'
 
+    env:
+      USING_APP_CREDENTIALS: ${{ secrets.app_id != '' && secrets.private_key != '' }}
+
     steps:
+      - name: Get App Token
+        if: ${{ env.USING_APP_CREDENTIALS == 'true' }}
+        uses: tibdex/github-app-token@v2.1.0
+        id: get_token
+        with:
+          app_id: ${{ secrets.app_id }}
+          private_key: ${{ secrets.private_key }}
+
       - name: Load dependabot metadata
         id: metadata
         uses: dependabot/fetch-metadata@v1
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ env.USING_APP_CREDENTIALS == 'true' && steps.get_token.outputs.token || secrets.GITHUB_TOKEN }}
 
       - name: Enable auto-merge for Dependabot PRs
         if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
@@ -25,4 +41,4 @@ jobs:
           gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ env.USING_APP_CREDENTIALS == 'true' && steps.get_token.outputs.token || secrets.GITHUB_TOKEN }}
diff --git a/README.md b/README.md
index cb76716..8da937b 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,9 @@ In this section you can find examples of how to use template workflows. For more
 <details>
 <summary>The action can be used to auto-merge a dependabot PR with minor and patch updates.</summary>
 
-The action is called by creating a PR. Dependabot must have ownership of the corresponding dependency files in order to be able to merge the PRs.
+The action is called by creating a PR. It is necessary that the repository is enabled for auto-merge.
+There are two possibilities to enable the action. 
+First, you can use the general GitHub token but the actions does not run on the default branch.
 
 ```yml
 name: Enable Dependabot Auto-Merge
@@ -43,6 +45,24 @@ jobs:
   dependabot:
     uses: Staffbase/gha-workflows/.github/workflows/template_automerge_dependabot.yml@v3.1.0
 ```
+
+Or you can use a specific GitHub app id and private key to generate a new token which can be used for the action.
+
+```yml
+name: Enable Dependabot Auto-Merge
+
+on: pull_request
+
+jobs:
+  dependabot:
+    uses: Staffbase/gha-workflows/.github/workflows/template_automerge_dependabot.yml@v3.1.0
+    secrets:
+      # optional: identifier of the GitHub App for authentication
+      app_id: ${{ <your-app-id> }}
+      # optional: private key of the GitHub App
+      private_key: ${{ <your-private-key> }}
+```
+
 </details>
 
 ### AutoDev