Add Dependabot auto-merge workflow #462
Conversation
github-actions
bot
added
the
part:tooling
There was a problem hiding this comment.
Pull Request Overview
This PR adds a GitHub Actions workflow to automate the approval and merging of Dependabot pull requests, streamlining dependency updates with a merge commit strategy.
Key Changes:
- New automated workflow for Dependabot PRs with approval and merge functionality
- Configured to use merge commits for maintaining explicit dependency update history
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| - name: Auto-merge Dependabot PR | ||
| uses: ad/dependabot-auto-approve@v1 |
There was a problem hiding this comment.
The action ad/dependabot-auto-approve@v1 only approves PRs but does not merge them, despite its use in a step named 'Auto-merge'. To both approve and merge, consider using fastify/github-action-merge-dependabot@v3 or add a separate merge step using gh pr merge with the GitHub CLI.
| - name: Auto-merge Dependabot PR | |
| uses: ad/dependabot-auto-approve@v1 | |
| - name: Auto-approve and merge Dependabot PR | |
| uses: fastify/github-action-merge-dependabot@v3 |
| name: Auto-merge Dependabot PRs | ||
|
|
||
| on: | ||
| pull_request: |
There was a problem hiding this comment.
The workflow triggers on all pull_request events without specifying activity types. This means it runs on every PR event (opened, synchronized, reopened, etc.), including those from external forks in public repositories. Add types: [opened] or use pull_request_target with appropriate safeguards to limit when this workflow executes.
| pull_request: | |
| pull_request: | |
| types: [opened] |
There was a problem hiding this comment.
TIL pull_request by default only triggers on opened, reopened and synchronize.
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| merge-method: 'merge' No newline at end of file |
There was a problem hiding this comment.
The merge-method parameter is not supported by the ad/dependabot-auto-approve@v1 action, which only handles approval. This configuration will have no effect. If you want to control the merge method, use an action that actually performs merging or use the GitHub CLI with gh pr merge --merge.
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| merge-method: 'merge' | |
| github-token: ${{ secrets.GITHUB_TOKEN }} |
Marenz
force-pushed
the
add-dependabot-workflow
branch
2 times, most recently
from
e837ce5 to
c82dbe6
Compare
Signed-off-by: Mathias L. Baumann <[email protected]>
Marenz
force-pushed
the
add-dependabot-workflow
branch
from
c82dbe6 to
e40d708
Compare
| uses: ad/dependabot-auto-approve@v1 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| merge-method: 'merge' |
There was a problem hiding this comment.
Same as in other PRs, shouldn't this also have other parameters, like auto-merge?
2 participants
Summary
mergemethod for clean commit history