Auto merge Dependabot PRs on CI success

[hibariya]

By this PR the CI workflow runs on Dependabot PRs, too. I believe it's good if we can auto-merge those of CI succeeded because then we can ignore lots of PRs and only care about failed ones.

If this sounds good, I'd like to work on it. I think we can do that by doing a similar thing as automerge.yml when all the CI jobs succeed on a Dependabot PR.

:memo: When I work on it, I want to know if we should keep the automerge.yml. I'm not sure the reason why currently they are being auto-merged immediately.

[charliegerard-stripe]

Hey @hibariya, that sounds like a great idea!

At the moment, I'm working on improving our process to make it a bit easier for us to maintain all our samples. The automerge.yml workflow automatically merges the updates of Stripe SDKs so we can keep our samples up to date. Beforehand, this work was done manually and it's not really sustainable. It doesn't automerge updates from other packages so we can check them for potential security issues.

If you want to work on your idea of only merging PRs when the CI tests pass, I would recommend to make this change in the automerge.yml workflow because, for PRs related to non-Stripe dependencies, we're going to use a tool to check for Security issues first. Does that make sense?

[hibariya]

Hi @charliegerard-stripe, thanks a lot for the background and feedback! Now I understand that there will be multiple dependencies (the security check and CI) to trigger auto-merge for Dependabot PRs.

The entire flow could be like this? (let me know if there are misunderstandings):

As you recommend, I'd like to make some changes to the automerge.yml to run auto-merge when the CI succeeds. I think that by using the workflow_run event to trigger subsequent events, we can run each workflow sequentially.

[charliegerard-stripe]

Hey @hibariya, yes that looks right! Feel free to work on this if you'd like and you can tag me as reviewer whenever you're ready 🙂