Skip to content

Add Dependabot auto-merge workflow #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: v0.x.x
Choose a base branch
from
Open

Add Dependabot auto-merge workflow #229

wants to merge 1 commit into from

Conversation

Marenz
Copy link
Contributor

@Marenz Marenz commented Oct 20, 2025

Summary

  • Add GitHub workflow to automatically approve and merge Dependabot PRs
  • Uses merge method for clean commit history

@Copilot Copilot AI review requested due to automatic review settings October 20, 2025 13:28
@Marenz Marenz requested review from a team as code owners October 20, 2025 13:28
@github-actions github-actions bot added part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) part:dispatcher labels Oct 20, 2025
Copilot
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds a GitHub Actions workflow to automatically approve and merge Dependabot pull requests using a merge commit for clean history.

  • Introduces a new workflow file auto-dependabot.yaml.
  • Configures a job gated by actor check for dependabot[bot].
  • Uses a third-party action to auto-approve and merge PRs with merge-method set to merge.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.github/workflows/auto-dependabot.yaml Outdated
Comment on lines 6 to 19
jobs:
auto-merge:
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- name: Auto-merge Dependabot PR
uses: ad/dependabot-auto-approve@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
merge-method: 'merge' No newline at end of file
Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow relies on GITHUB_TOKEN to approve and merge, but no explicit permissions block is set; GitHub defaults may be read-only and cause the action to fail. Add a top-level permissions section: permissions: contents: write, pull-requests: write to ensure the action can approve and merge.

Copilot uses AI. Check for mistakes.

.github/workflows/auto-dependabot.yaml Outdated
Comment on lines 11 to 19
- name: Auto-merge Dependabot PR
uses: ad/dependabot-auto-approve@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
merge-method: 'merge' No newline at end of file
Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] This configuration will auto-merge every Dependabot PR regardless of update type (major/minor/patch), which can introduce breaking changes automatically. Consider adding logic (e.g., fetch metadata action + conditional) to restrict merges to patch/minor versions only.

Copilot uses AI. Check for mistakes.

.github/workflows/auto-dependabot.yaml

on:
pull_request:

Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Triggering on all pull_request event types can create unnecessary workflow runs; specify types (e.g., types: [opened, synchronize, reopened]) to reduce redundant executions.

Suggested change
types: [opened, synchronize, reopened]

Copilot uses AI. Check for mistakes.

llucax
llucax previously approved these changes Oct 20, 2025
View reviewed changes
@Marenz Marenz force-pushed the add-dependabot-workflow branch from 7302d94 to 2798df9 Compare October 20, 2025 14:58
@Marenz Marenz force-pushed the add-dependabot-workflow branch from 2798df9 to e05eeda Compare October 20, 2025 15:17
llucax
llucax previously approved these changes Oct 21, 2025
View reviewed changes
Copy link
Contributor

@llucax llucax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick.

.github/workflows/auto-dependabot.yaml Outdated
uses: ad/dependabot-auto-approve@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
merge-method: 'merge' No newline at end of file
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing EOL.

@Marenz
Add Dependabot auto-merge workflow
7b92c62 
Signed-off-by: Mathias L. Baumann <[email protected]>
@Marenz Marenz force-pushed the add-dependabot-workflow branch from e05eeda to 7b92c62 Compare October 22, 2025 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@llucax llucax llucax left review comments

@ela-kotulska-frequenz ela-kotulska-frequenz Awaiting requested review from ela-kotulska-frequenz ela-kotulska-frequenz is a code owner automatically assigned from frequenz-floss/api-dispatch-team

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

part:dispatcher part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marenz @llucax