ci(dependabot): enable auto merge

[Crow-EH]

This is a work in progress.

Based on GA doc's example.

The pull_request_target event is like pull_request except it allows write permissions.

gh pr merge --auto --merge "$PR_URL" will enable auto-merging of the PR that triggered the event. The merge will occur only after all the required conditions are fulfilled (in our case the build checker workflow). Doc : https://cli.github.com/manual/gh_pr_merge

The metadata step allows to filter by update types in the second step, I configured it to auto-merge minor and patch only. There's seemingly no way to filter on package-ecosystem (like docker) atm, so we'll have to set auto-merge on every dependabot's PR or find an alternative if we want to filter.

Will require allowing auto-merge in repository settings.

TODO

• Tweak the auto-merge behaviour (merged by github-actions[bot]) to trigger the master workflow, if possible and deemed necessary. WDYT @axelpavageau, would the PR workflow + scheduled workflow be enough ? It would publish on nightly only if I remember right, until next human merge or tag.
• Try if it still works with only pull-requests: write permission
• Try if action permission scope affects the triggering of master workflow after auto-merge by the bot

Tests

On my fork with auto-merge and dependabot enabled :

• The auto-merge has been set but the PR is not merged automatically because the required check are not passing : chore(deps): bump php from 7.3.27-cli-alpine to 7.3.30-cli-alpine in /php/7.3 Crow-EH/docker-buildbox#3 ✅
• The auto-merge has been set and the PR is merged automatically after the required check passes : chore(deps): bump python from 3.6.14-slim-buster to 3.6.15-slim-buster in /python/3.6 Crow-EH/docker-buildbox#5 ✅ But the merge on master did not trigger a workflow. ⚠️
• A PR with auto-merge set by me also merged after check : minor change to test auto-merge set by human Crow-EH/docker-buildbox#6 ✅ AND the merge did trigger a workflow ✅ It seems that the issue in the second test is that github-actions[bot] was the one setting auto-merge

[Crow-EH]

Seeing how dependabots sometimes fails to respect the ignored update types (#542 even though ansible/pip should ignore major and minor), I don't even know if auto-merge would be a good idea.

Maybe keeping everything as is + removing the rebase requirement would do the trick @axelpavageau ?

Most of the time rebasing is not needed for dependabot's PR since all the PRs are on different images, and we can still request it verbally to contributors if needed (+ conflicts won't allow merging anyway).

It would allow faster chain merging of dependabot's PRs, reducing the effort while still allowing human control.

[Crow-EH]

As discussed with @axelpavageau, it's not really an issue nowadays : Only building the images that changed was already enough to improve maintainers' quality of life.

closing