From 2f975829e59bd0f6148fb9ea2045c546a4d80a50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bot=20of=20Thomas=20G=C3=BCttler?=
 <guettlibot@noreply.codeberg.org>
Date: Wed, 27 May 2026 09:37:15 +0200
Subject: [PATCH] feat: auto-merge safe Renovate PRs via CI (#277) (#284)

---
 .forgejo/workflows/ci.yml | 48 +++++++++++++++++++++++++++++++++++++++
 renovate.json             |  8 ++++++-
 2 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index 5eb3e10..6cf1e63 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -109,3 +109,51 @@ jobs:
       - name: Cleanup TLS credentials
         if: always()
         run: rm -rf /tmp/dagger-tls /tmp/stunnel-dagger.conf /tmp/stunnel.pid
+
+  merge-renovate:
+    name: Auto-merge Renovate PR
+    needs: [check]
+    if: github.event_name == 'pull_request' && startsWith(github.head_ref, 'renovate/')
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+
+    steps:
+      - name: Merge if automerge label is set
+        env:
+          FORGEJO_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          python3 - << 'PYEOF'
+          import os, json, urllib.request, urllib.error, sys
+
+          token = os.environ["FORGEJO_TOKEN"]
+          url_base = os.environ.get("GITHUB_SERVER_URL", "").rstrip("/")
+          repo = os.environ.get("GITHUB_REPOSITORY", "")
+          pr_number = os.environ["PR_NUMBER"]
+          api = f"{url_base}/api/v1/repos/{repo}"
+          headers = {"Authorization": f"token {token}", "Content-Type": "application/json"}
+
+          req = urllib.request.Request(f"{api}/issues/{pr_number}/labels", headers=headers)
+          with urllib.request.urlopen(req) as r:
+              labels = [l["name"] for l in json.loads(r.read())]
+
+          if "automerge" not in labels:
+              print(f"PR #{pr_number}: no 'automerge' label — major update, skipping")
+              sys.exit(0)
+
+          body = json.dumps({"Do": "merge"}).encode()
+          req = urllib.request.Request(
+              f"{api}/pulls/{pr_number}/merge",
+              data=body, headers=headers, method="POST"
+          )
+          try:
+              with urllib.request.urlopen(req) as r:
+                  print(f"PR #{pr_number} merged successfully")
+          except urllib.error.HTTPError as e:
+              err = e.read().decode()
+              if "already been merged" in err or "has been merged" in err:
+                  print(f"PR #{pr_number} already merged — OK")
+              else:
+                  print(f"Merge failed: {err}")
+                  sys.exit(1)
+          PYEOF
diff --git a/renovate.json b/renovate.json
index 52914a2..1b818f4 100644
--- a/renovate.json
+++ b/renovate.json
@@ -6,5 +6,11 @@
   "labels": ["dependencies"],
   "github-actions": {
     "fileMatch": ["^\\.forgejo/workflows/[^/]+\\.ya?ml$"]
-  }
+  },
+  "packageRules": [
+    {
+      "matchUpdateTypes": ["minor", "patch", "pin", "digest", "lockFileMaintenance"],
+      "addLabels": ["automerge"]
+    }
+  ]
 }