Adapt merge-dependabot-reusable to support RTC workflow #417
Description
With the introduction of the Review-to-Commit process, the current merge-dependabot-reusable GitHub Actions workflow needs to be revised. The RTC policy introduces new constraints that directly impact how Dependabot PRs can be processed and merged.
Problems
-
Review requirement:
The workflow can no longer merge PRs directly, as the RTC policy mandates at least one code review before merging. -
Triggering required checks:
Any commits made by the workflow (e.g., adding changelog files) must trigger all required status checks. This behavior is only guaranteed if the workflow uses a Personal Access Token (PAT) with appropriate permissions, instead of the defaultGITHUB_TOKEN. -
Support for maintainers:
To ease the additional manual steps introduced by RTC, the updated workflow should:- Handle PRs that update multiple dependencies at once (e.g., bundler mode).
- Enable GitHub's auto-merge feature after making its changes, so the PR merges automatically once it receives a review and passes checks.
Propose solution
- Create a new reusable workflow (e.g.,
process-dependabot-reusable) that addresses these constraints. - Ensure it uses a PAT to push changelog updates and re-run checks.
- Add logic to support multi-dependency updates and enable auto-merge.