Skip to content

Add Dependabot auto-merge workflow #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 28, 2025
Merged

Add Dependabot auto-merge workflow #462

merged 1 commit into from
Oct 28, 2025

Conversation

@Marenz
Copy link
Contributor

@Marenz Marenz commented Oct 20, 2025

Summary

  • Add GitHub workflow to automatically approve and merge Dependabot PRs
  • Uses merge method for clean commit history

Copilot AI review requested due to automatic review settings October 20, 2025 13:25
@Marenz Marenz requested a review from a team as a code owner October 20, 2025 13:25
@Marenz Marenz requested a review from shsms October 20, 2025 13:25
@github-actions github-actions bot added the part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) label Oct 20, 2025
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a GitHub Actions workflow to automate the approval and merging of Dependabot pull requests, streamlining dependency updates with a merge commit strategy.

Key Changes:

  • New automated workflow for Dependabot PRs with approval and merge functionality
  • Configured to use merge commits for maintaining explicit dependency update history

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.github/workflows/auto-dependabot.yaml Outdated
name: Auto-merge Dependabot PRs

on:
pull_request:
Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow triggers on all pull_request events without specifying activity types. This means it runs on every PR event (opened, synchronized, reopened, etc.), including those from external forks in public repositories. Add types: [opened] or use pull_request_target with appropriate safeguards to limit when this workflow executes.

Suggested change
pull_request:
pull_request:
types: [opened]

Copilot uses AI. Check for mistakes.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL pull_request by default only triggers on opened, reopened and synchronize.

.github/workflows/auto-dependabot.yaml Outdated
Comment on lines 14 to 19
github-token: ${{ secrets.GITHUB_TOKEN }}
merge-method: 'merge' No newline at end of file
Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The merge-method parameter is not supported by the ad/dependabot-auto-approve@v1 action, which only handles approval. This configuration will have no effect. If you want to control the merge method, use an action that actually performs merging or use the GitHub CLI with gh pr merge --merge.

Suggested change
github-token: ${{ secrets.GITHUB_TOKEN }}
merge-method: 'merge'
github-token: ${{ secrets.GITHUB_TOKEN }}

Copilot uses AI. Check for mistakes.
@Marenz Marenz force-pushed the add-dependabot-workflow branch 3 times, most recently from c82dbe6 to e40d708 Compare October 22, 2025 10:03
llucax
llucax reviewed Oct 24, 2025
View reviewed changes
.github/workflows/auto-dependabot.yaml
uses: ad/dependabot-auto-approve@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
merge-method: 'merge'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as in other PRs, shouldn't this also have other parameters, like auto-merge?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, something went wrong here. Fixed.

@Marenz Marenz force-pushed the add-dependabot-workflow branch from e40d708 to 242a2c0 Compare October 28, 2025 09:18
@Marenz
Add Dependabot auto-merge workflow
649e619 
Signed-off-by: Mathias L. Baumann <[email protected]>
@Marenz Marenz force-pushed the add-dependabot-workflow branch from 242a2c0 to 649e619 Compare October 28, 2025 09:18
@Marenz Marenz requested a review from llucax October 28, 2025 09:18
@Marenz Marenz enabled auto-merge October 28, 2025 09:21
@Marenz Marenz added this pull request to the merge queue Oct 28, 2025
Merged via the queue into frequenz-floss:v1.x.x with commit ba6e162 Oct 28, 2025
5 checks passed
@Marenz Marenz deleted the add-dependabot-workflow branch October 28, 2025 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@llucax llucax llucax approved these changes

@shsms shsms Awaiting requested review from shsms shsms is a code owner automatically assigned from frequenz-floss/python-sdk-team

Assignees

No one assigned

Labels

part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marenz @llucax