chore: automate dependabot and codeql on dev

Aethersailor · Aethersailor · commit 5e4472d2d8c3 · 2026-01-10T12:24:46.000+08:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -2,37 +2,41 @@ version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
+    target-branch: "dev"
     schedule: { interval: "daily", time: "04:00" }
-    open-pull-requests-limit: 1
+    open-pull-requests-limit: 10
     rebase-strategy: "auto"
     labels: ["dependencies","github-actions"]
     groups:
       all:
         patterns: ["*"]
   - package-ecosystem: "pip"
     directory: "/"
+    target-branch: "dev"
     schedule: { interval: "daily", time: "04:10" }
-    open-pull-requests-limit: 1
+    open-pull-requests-limit: 10
     rebase-strategy: "auto"
     labels: ["dependencies","python"]
     groups:
       all:
         patterns: ["*"]
   - package-ecosystem: "docker"
     directory: "/"
+    target-branch: "dev"
     schedule: { interval: "daily", time: "04:15" }
-    open-pull-requests-limit: 1
+    open-pull-requests-limit: 10
     rebase-strategy: "auto"
     labels: ["dependencies","docker"]
     groups:
       all:
         patterns: ["*"]
   - package-ecosystem: "docker-compose"
     directory: "/"
+    target-branch: "dev"
     schedule: { interval: "daily", time: "04:16" }
-    open-pull-requests-limit: 1
+    open-pull-requests-limit: 10
     rebase-strategy: "auto"
     labels: ["dependencies","docker-compose"]
     groups:
       all:
-        patterns: ["*"]
+        patterns: ["*"]
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,51 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [dev]
+  pull_request:
+    branches: [dev]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [python]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: |
+            security-extended
+            security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,22 @@
+name: Auto-merge Dependabot PRs
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review]
+    branches: [dev]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot-auto-merge:
+    if: >
+      github.actor == 'dependabot[bot]' &&
+      github.event.pull_request.draft == false
+    runs-on: ubuntu-latest
+    steps:
+      - name: Enable auto-merge and delete branch
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh pr merge ${{ github.event.pull_request.number }} --auto --squash --delete-branch
