ci: add Dependabot and automated dependency updates [ENG-11704] (#262)

ryoppippi · web-flow · commit 03dc1ba84805 · 2026-01-05T14:04:04.000Z
* ci(deps): add Dependabot and automated dependency updates

- Add Dependabot config for npm and GitHub Actions
- Add auto-merge workflow for Dependabot PRs (minor/patch only)
- Add scheduled Nix flake update workflow with auto-merge

* ci(nix): use setup-nix action for flake update workflow

* ci: pin GitHub Actions with pinact
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,47 @@
+version: 2
+updates:
+  # npm dependencies (pnpm compatible)
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: '09:00'
+      timezone: Europe/London
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: 'chore(deps)'
+    labels:
+      - dependencies
+    groups:
+      # Group minor and patch updates together
+      minor-and-patch:
+        patterns:
+          - '*'
+        update-types:
+          - minor
+          - patch
+    # Ignore major updates for stability (review manually)
+    ignore:
+      - dependency-name: '*'
+        update-types:
+          - version-update:semver-major
+
+  # GitHub Actions dependencies
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: '09:00'
+      timezone: Europe/London
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: 'ci(deps)'
+    labels:
+      - dependencies
+      - ci
+    groups:
+      actions:
+        patterns:
+          - '*'
diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
@@ -0,0 +1,48 @@
+name: Dependabot auto-merge
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot-auto-merge:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Wait for CI to pass
+        uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          running-workflow-name: Dependabot auto-merge
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          wait-interval: 30
+
+      # Enable auto-merge for minor/patch updates
+      # GitHub will wait for required checks and 3-day delay before merging
+      - name: Enable auto-merge for minor/patch updates
+        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Add comment about merge delay
+        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
+        run: |
+          gh pr comment "$PR_URL" --body "🤖 Auto-merge enabled. This PR will be merged automatically after CI passes and the 3-day waiting period (configured in branch protection rules)."
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/nix-flake-update.yaml b/.github/workflows/nix-flake-update.yaml
@@ -0,0 +1,63 @@
+name: 'Scheduled: Nix flake update'
+
+on:
+  schedule:
+    # Run every Monday at 09:00 UTC (same as Dependabot)
+    - cron: '0 9 * * 1'
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-flake:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Setup Nix
+        uses: ./.github/actions/setup-nix
+
+      - name: Update flake.lock
+        run: nix flake update
+
+      - name: Check if flake.lock changed
+        id: check-changes
+        run: |
+          if git diff --quiet flake.lock; then
+            echo "changed=false" >> $GITHUB_OUTPUT
+          else
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Pull Request
+        id: create-pr
+        if: steps.check-changes.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'chore(deps): update nix flake inputs'
+          title: 'chore(deps): update nix flake inputs'
+          body: |
+            ## Summary
+            - Automated update of Nix flake inputs (`nixpkgs`, `flake-parts`)
+
+            ## Test plan
+            - [ ] `nix flake check` passes in CI
+            - [ ] Development shell works correctly
+
+            ---
+            🤖 This PR was automatically created by the scheduled Nix flake update workflow.
+          branch: chore/nix-flake-update
+          labels: |
+            dependencies
+            nix
+          delete-branch: true
+
+      - name: Enable auto-merge
+        if: steps.create-pr.outputs.pull-request-number
+        run: gh pr merge --auto --squash "${{ steps.create-pr.outputs.pull-request-url }}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
