name: Dependabot auto-approve
on:
  pull_request_target:
  workflow_dispatch:

permissions:
  pull-requests: write
  id-token: write
  contents: read
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'aws-actions/configure-aws-credentials' }}
    steps:
      - name: Get Metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v2
      - uses: actions/checkout@v5
        name: Clone repo
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v6
        with:
          aws-region: us-west-2
          role-to-assume: ${{ secrets.CONFIGUREAWSCREDENTIALSPACKAGEROLEARN }}
          role-duration-seconds: 900
      - name: Get bot user token
        uses: aws-actions/aws-secretsmanager-get-secrets@v2
        with:
          parse-json-secrets: true
          secret-ids: |
            ${{ secrets.OSDS_PACKAGING_ROLE }}
      - name: Approve PR if not already approved
        run: |
          gh pr checkout "$PR_URL"
          if [ "$(gh pr status --json reviewDecision - q .currentBranch.reviewDecision)" != "APPROVED" ]; then
            gh pr review "$PR_URL" --approve
          else echo "PR already approved"
          fi
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ env.OSDS_ACCESS_TOKEN }}