Enable auto-merge for Dependabot

[nixel2007]

Enable auto-merge for Dependabot pull requests and changed the repository reference.

Описание

Связанные задачи

Closes

Чеклист

Общие

• Ветка PR обновлена из develop
• Отладочные, закомментированные и прочие, не имеющие смысла участки кода удалены
• Изменения покрыты тестами
• Обязательные действия перед коммитом выполнены (запускал команду gradlew precommit)

Для диагностик

• Описание диагностики заполнено для обоих языков (присутствуют файлы для обоих языков, для русского заполнено все подробно, перевод на английский можно опустить)

Дополнительно

Summary by CodeRabbit

• Chores
  • Added an automated workflow to approve and enable auto-merge for Dependabot dependency update pull requests, streamlining dependency updates and reducing manual review effort.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a new GitHub Actions workflow that runs on Dependabot pull requests, fetches Dependabot metadata, programmatically approves the PR, and enables auto-merge by invoking the GitHub CLI with the PR URL and token.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow \.github/workflows/dependabot-automerge\.yaml	New workflow triggered on pull_request_target for author dependabot[bot]; fetches Dependabot metadata, approves the PR, and enables auto-merge using the gh CLI with PR URL and GITHUB_TOKEN provided via environment variables.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dependabot
  participant GitHub as "GitHub (PR)"
  participant Actions as "GitHub Actions\n(pull_request_target)"
  participant Runner as "Workflow Runner\n(shell + gh CLI)"
  participant GH_API as "GitHub API"

  Dependabot->>GitHub: Create Dependabot PR
  GitHub->>Actions: Trigger pull_request_target
  Actions->>Runner: Start job (checkout + fetch metadata)
  Runner->>GH_API: Fetch Dependabot metadata (author, manifest)
  Runner->>GH_API: Submit review approval (using GITHUB_TOKEN)
  Runner->>GH_API: Invoke `gh` CLI to enable auto-merge (PR URL, token)
  GH_API-->>GitHub: Mark PR approved and enable auto-merge
  GitHub-->>Dependabot: PR status updated (approved / auto-merge enabled)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the workflow event is intentionally pull_request_target (security implications).
• Confirm GITHUB_TOKEN permissions and that the gh CLI is available in the runner image.
• Check the author filter (dependabot[bot]) and Dependabot metadata fetch steps for correctness.

Possibly related PRs

• #3680 — Similar change touching the Dependabot auto-merge workflow (differs in event trigger and repository reference).

Poem

🐇 I nudged a tiny script tonight,
Approving bumps by soft moonlight.
With whiskered cheer I press "auto-merge",
So updates hop along their surge —
A fluffy patch, so small and bright.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Enable auto-merge for Dependabot' directly and accurately summarizes the main change—adding GitHub Actions workflow automation for Dependabot pull requests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1012b8d and 2b1c559.

📒 Files selected for processing (1)

• .github/workflows/dependabot-automerge.yaml (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Test Results

0 files   - 2 700  0 suites   - 2 700   0s ⏱️ - 46m 37s
0 tests  - 1 013  0 ✅  - 1 013  0 💤 ±0  0 ❌ ±0 
0 runs   - 9 117  0 ✅  - 9 117  0 💤 ±0  0 ❌ ±0 

Results for commit 1012b8d. ± Comparison against base commit 5b99dbb.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

This PR introduces automated approval and merging of Dependabot pull requests by adding a new GitHub Actions workflow. The workflow automatically approves and enables auto-merge for Dependabot PRs in the 1c-syntax/bsl-language-server repository.

• Adds a new workflow file for Dependabot automation
• Configures automatic PR approval and auto-merge for dependency updates
• Restricts workflow execution to Dependabot PRs in the specific repository

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/dependabot-automerge.yaml (1)

13-17: Consider using the fetched metadata for conditional auto-merge.

The Dependabot metadata is fetched but never used. You could leverage this data to implement smarter auto-merge logic, such as:

• Only auto-merge patch updates (update-type: version-update:semver-patch)
• Skip auto-merge for major version updates
• Handle different dependency types differently

🔎 Example: Only auto-merge patch and minor updates:

       - name: Enable auto-merge for Dependabot PRs
+        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
         run: gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5b99dbb and 9fc7318.

📒 Files selected for processing (1)

• .github/workflows/dependabot-automerge.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: build (25, macOS-latest)
• GitHub Check: build (17, macOS-latest)
• GitHub Check: build (25, windows-latest)
• GitHub Check: build (25, ubuntu-latest)
• GitHub Check: build (21, windows-latest)
• GitHub Check: build (17, ubuntu-latest)
• GitHub Check: build (21, macOS-latest)
• GitHub Check: build (17, windows-latest)
• GitHub Check: build (21, ubuntu-latest)
• GitHub Check: Analyse
• GitHub Check: build

🔇 Additional comments (4)

.github/workflows/dependabot-automerge.yaml (4)

4-6: LGTM!

Permissions are correctly configured for approving and merging pull requests.

---

18-22: Self-approval with GITHUB_TOKEN may not work in all configurations.

Some repository configurations prevent the workflow's GITHUB_TOKEN from approving its own PRs. If auto-merge fails, you may need to:

1. Create a GitHub App or use a Personal Access Token (PAT) with appropriate permissions
2. Configure repository settings to allow workflow approvals

Test this workflow with an actual Dependabot PR to ensure the approval succeeds. If it fails, consider using a GitHub App or PAT stored in secrets.

---

23-27: Auto-merge will wait for required status checks.

The --auto --merge flags enable auto-merge with a merge commit strategy. The PR will automatically merge once all required status checks pass and approval requirements are met. This is the expected behavior.

If you prefer squash or rebase merge strategies, use --squash or --rebase instead of --merge.

---

8-11: Ensure branch protection rules are compatible with auto-merge.

The workflow approves and auto-merges Dependabot PRs, which requires branch protection rules to be configured appropriately. Auto-merge will fail if your branch protection rules require multiple approvers (>1) or mandate reviews from code owners. Required status checks are fine and expected—auto-merge waits for them to pass before merging.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

.github/workflows/dependabot-automerge.yaml (1)

2-2: Security concern: Use pull_request_target instead of pull_request.

This issue has already been flagged in a previous review. The pull_request trigger runs in the context of the PR head branch, which poses security risks when combined with write permissions. Consider using pull_request_target with specific activity types as suggested.

🧹 Nitpick comments (1)

.github/workflows/dependabot-automerge.yaml (1)

13-17: Consider using the metadata outputs for filtering.

The Dependabot metadata is fetched but not used in the workflow. You could leverage the outputs to add safety guardrails, such as only auto-merging patch updates or filtering by dependency type.

Example: Auto-merge only patch updates

      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Approve a PR
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Enable auto-merge for Dependabot PRs
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9fc7318 and 1012b8d.

📒 Files selected for processing (1)

• .github/workflows/dependabot-automerge.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: Analyse
• GitHub Check: build
• GitHub Check: build (25, ubuntu-latest)
• GitHub Check: build (21, windows-latest)
• GitHub Check: build (25, windows-latest)
• GitHub Check: build (21, ubuntu-latest)
• GitHub Check: build (25, macOS-latest)
• GitHub Check: build (17, ubuntu-latest)
• GitHub Check: build (17, windows-latest)
• GitHub Check: build (17, macOS-latest)

🔇 Additional comments (1)

.github/workflows/dependabot-automerge.yaml (1)

18-27: Implementation looks correct.

The approval and auto-merge steps are properly configured:

• Correct use of gh CLI commands
• Proper environment variable setup with PR_URL and GH_TOKEN
• Expression syntax is consistent with GitHub Actions best practices (the spacing issue mentioned in past comments appears resolved)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud