Warp SQL Server MCP

name: Dependabot Auto-Merge on: pull_request: types: [opened, synchronize, reopened] permissions: contents: read jobs: auto-merge: name: Auto-merge Dependabot PRs runs-on: ubuntu-latest # Only run for Dependabot PRs if: github.actor == 'dependabot[bot]' permissions: contents: write pull-requests: write checks: read steps: - name: Checkout uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # v5 - name: Setup Node.js uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v4 with: node-version: '18' cache: 'npm' - name: Install dependencies run: npm ci - name: Run tests run: npm test - name: Analyze Dependabot PR id: analyze env: GH_TOKEN: ${{ github.token }} PR_TITLE: ${{ github.event.pull_request.title }} run: | # Get PR details (safely) pr_number=${{ github.event.pull_request.number }} pr_labels=$(gh pr view $pr_number --json labels --jq '.labels[].name' | tr '\n' ' ') echo "PR: #$pr_number" echo "Title: $PR_TITLE" echo "Labels: $pr_labels" # Determine if this is an auto-mergeable update auto_merge=false # Extract semver bump from standard Dependabot titles, e.g.: # "bump <name> from 1.2.3 to 1.3.0" from_ver="" to_ver="" dep_name="" if echo "$PR_TITLE" | grep -qiE 'bump .+ from [0-9]'; then dep_name=$(echo "$PR_TITLE" | sed -E 's/.*bump ([^ ]+) from .*/\1/i') from_ver=$(echo "$PR_TITLE" | sed -nE 's/.* from ([0-9][^ ]*) to .*/\1/ip' | head -n1) to_ver=$(echo "$PR_TITLE" | sed -nE 's/.* to ([0-9][^ ]*)\s*$/\1/ip' | head -n1) fi bump_type="unknown" if [ -n "$from_ver" ] && [ -n "$to_ver" ]; then # Strip leading 'v' and pre-release/build metadata fv=$(echo "$from_ver" | sed -E 's/^v//' | cut -d- -f1 | cut -d+ -f1) tv=$(echo "$to_ver" | sed -E 's/^v//' | cut -d- -f1 | cut -d+ -f1) fmaj=$(echo "$fv" | cut -d. -f1) fmin=$(echo "$fv" | cut -d. -f2) fpat=$(echo "$fv" | cut -d. -f3) tmaj=$(echo "$tv" | cut -d. -f1) tmin=$(echo "$tv" | cut -d. -f2) tpat=$(echo "$tv" | cut -d. -f3) if [ "$tmaj" != "$fmaj" ]; then bump_type="major" elif [ "$tmin" != "$fmin" ]; then bump_type="minor" elif [ "$tpat" != "$fpat" ]; then bump_type="patch" else bump_type="none" fi echo "Detected dependency: $dep_name | $from_ver -> $to_ver ($bump_type)" fi # Check if it's a security-critical action (require manual review) if echo "$PR_TITLE" | grep -qi "github/codeql-action\|step-security"; then echo "🔒 Security-critical action - manual review required" auto_merge=false # Block auto-merge for major updates elif [ "$bump_type" = "major" ]; then echo "🚨 Major version bump detected - manual review required" auto_merge=false # Auto-merge for patch/minor bumps (subject to other checks below) elif [ "$bump_type" = "patch" ] || [ "$bump_type" = "minor" ]; then echo "🩹 Patch/minor version bump detected - eligible for auto-merge" auto_merge=true # Check for security updates (auto-merge for most security updates) elif echo "$PR_TITLE" | grep -qi "security\|vulnerability\|cve\|ossf/scorecard-action"; then echo "🔒 Security update detected - eligible for auto-merge" auto_merge=true # Check for auto-mergeable GitHub Actions by analyzing title elif echo "$PR_TITLE" | grep -qi "actions/checkout\|actions/setup-node\|actions/upload-artifact\|actions/cache\|streetsidesoftware/cspell-action\|gaurav-nelson.*markdown-link-check"; then echo "🏗️ Build/utility action update - eligible for auto-merge" auto_merge=true # Fallback: keywords in title (some ecosystems include these) elif echo "$PR_TITLE" | grep -qi "\bpatch\b\|\bminor\b"; then echo "🩹 Patch/minor keyword detected - eligible for auto-merge" auto_merge=true else echo "🔍 Manual review required for this update" fi echo "auto_merge=$auto_merge" >> $GITHUB_OUTPUT # Add auto-merge label if eligible if [ "$auto_merge" = "true" ]; then gh pr edit $pr_number --add-label "auto-merge-eligible" || echo "Warning: Could not add label (may not exist yet)" else gh pr edit $pr_number --add-label "manual-review-required" || echo "Warning: Could not add label (may not exist yet)" fi - name: Add auto-merge comment and enable auto-merge if: steps.analyze.outputs.auto_merge == 'true' env: GH_TOKEN: ${{ github.token }} run: | pr_number=${{ github.event.pull_request.number }} # Add explanatory comment gh pr comment $pr_number --body "🤖 **Auto-merge Enabled** ✅ This Dependabot update has been queued for auto-merge because: - All tests pass - Update type is eligible for auto-merge - No breaking changes detected - Security/development dependency classification 🔍 **Auto-merge criteria met:** - Tests: ✅ Passed - Type: ✅ Low-risk update - Security: ✅ No concerns identified 🚀 **Auto-merge enabled** - will merge automatically once all required checks pass." # Enable auto-merge with squash strategy gh pr merge $pr_number --auto --squash --delete-branch - name: Add security notice for critical updates if: contains(github.event.pull_request.title, 'security') || contains(github.event.pull_request.title, 'vulnerability') env: GH_TOKEN: ${{ github.token }} run: | pr_number=${{ github.event.pull_request.number }} gh pr comment $pr_number --body "🚨 **Security Update Notice** This PR contains security updates and has been prioritized for auto-merge. 📋 **Post-merge actions:** - [ ] Monitor application logs for any issues - [ ] Verify MCP server functionality - [ ] Check for any breaking changes in production 🔍 **Security impact:** This update addresses known vulnerabilities and improves security posture. ⚡ **Auto-merge enabled** - will merge automatically once all CI checks pass." notify-manual-review: name: Notify Manual Review Required runs-on: ubuntu-latest if: github.actor == 'dependabot[bot]' permissions: pull-requests: write steps: - name: Check if manual review needed env: GH_TOKEN: ${{ github.token }} PR_TITLE: ${{ github.event.pull_request.title }} run: | pr_number=${{ github.event.pull_request.number }} # Check if this is a major version update or security-critical dependency if echo "$PR_TITLE" | grep -qi "major\|mssql\|tedious\|azure.*identity\|aws-sdk"; then gh pr comment $pr_number --body "🔍 **Manual Review Required** This Dependabot update requires manual review because: - Major version update or security-critical dependency - Potential breaking changes - Enhanced testing may be needed 📋 **Review checklist:** - [ ] Review CHANGELOG for breaking changes - [ ] Test MCP server functionality locally - [ ] Verify database connection stability - [ ] Check for API changes in dependencies - [ ] Run full test suite with new versions 🔒 **Security note:** This update affects core database connectivity - thorough testing recommended. ⏸️ **Auto-merge disabled** - manual merge required after review." # Add manual review label gh pr edit $pr_number --add-label "manual-review-required" --add-label "security-critical" fi