From b651372e8a62e3c9dcab3a6674671e6d6c764bf7 Mon Sep 17 00:00:00 2001
From: goosewobbler <432005+goosewobbler@users.noreply.github.com>
Date: Wed, 7 Aug 2024 02:01:02 +0100
Subject: [PATCH] chore: only auto-merge security updates

---
 .github/workflows/update.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index dcc4ccbe..af3ff4c6 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -35,10 +35,9 @@ jobs:
           running-workflow-name: dependencies # wait for all checks except this one
           allowed-conclusions: success # all other checks must pass, being skipped or cancelled is not sufficient
 
-      - name: Auto-merge dependabot PRs
-        # Don't merge updates to GitHub Actions versions automatically.
-        # (Some repos may wish to limit by version range (major/minor/patch), or scope (dep vs dev-dep), too.)
-        if: contains(steps.metadata.outputs.package-ecosystem, 'npm')
+      - name: Auto-merge Dependabot Security PRs
+        # Merge NPM security updates from Dependabot (ungrouped), but not version updates (grouped).
+        if: contains(steps.metadata.outputs.package-ecosystem, 'npm') && !contains(github.event.pull_request.title, 'chore(deps-dev)') && !contains(github.event.pull_request.title, 'chore(deps)')
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}