add dependabot automation

Author: wuan

.github/workflows/build.yml

@@ -1,4 +1,4 @@
-name: Test and Build
+name: Build
 
 on:
   push:
@@ -9,18 +9,20 @@ permissions:
   contents: read
 
 jobs:
-  test:
+  build:
+    name: Build
     permissions:
       contents: read  # for actions/checkout to fetch code
       pull-requests: read  # for SonarSource/sonarcloud-github-action to determine which PR to decorate
+    env:
+      POETRY_VERSION: 2.1.1
     strategy:
       # By default, GitHub will maximize the number of jobs run in parallel
       # depending on the available runners on GitHub-hosted virtual machines.
       # max-parallel: 8
       fail-fast: false
       matrix:
-        python-version: [ "3.9", "3.10", "3.11", "3.12" ]
-        poetry-version: [ "1.2.2", "1.7.1" ]
+        python-version: [ "3.10", "3.11", "3.12" ]
         os: [ ubuntu-22.04, macos-latest, windows-latest ]
     runs-on: ${{ matrix.os }}
     steps:
@@ -40,7 +42,7 @@ jobs:
       - name: Run image
         uses: abatilo/actions-poetry@0dd19c9498c3dc8728967849d0d2eae428a8a3d8 # v4
         with:
-          poetry-version: ${{ matrix.poetry-version }}
+          poetry-version: ${{ env.POETRY_VERSION }}
 
       - name: Setup environment
         run: poetry install
@@ -57,8 +59,8 @@ jobs:
         run: poetry build
 
       - name: SonarCloud Scan
-        if: matrix.python-version == '3.10' && matrix.os == 'ubuntu-22.04' && matrix.poetry-version == '1.7.1'
-        uses: SonarSource/sonarcloud-github-action@02ef91109b2d589e757aefcfb2854c2783fd7b19 # master
+        if: matrix.python-version == '3.10' && matrix.os == 'ubuntu-22.04'
+        uses: SonarSource/sonarcloud-github-action@v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

.github/workflows/pr_automation.yml

@@ -0,0 +1,24 @@
+name: PR automation
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'wuan/scan-pdf'
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Enable auto-merge for Dependabot PRs
+#        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/scorecard.yml

@@ -64,7 +64,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@c24449f33cd45d4826c6702db7e49f7cdb9b551d # v3.pre.node20
+        uses: actions/upload-artifact@v4
         with:
           name: SARIF file
           path: results.sarif