Skip to content

Migrate to frequenz-floss dependabot-auto-approve action #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: v0.x.x
Choose a base branch
from
Open

Migrate to frequenz-floss dependabot-auto-approve action #126

wants to merge 2 commits into from

Conversation

@Marenz
Copy link
Contributor

@Marenz Marenz commented Nov 3, 2025

Use commit hash instead of version tag for better security and reproducibility.

@Marenz
Add Dependabot auto-merge workflow
f691b07 
Signed-off-by: Mathias L. Baumann <[email protected]>
@Marenz Marenz requested a review from a team as a code owner November 3, 2025 10:35
@github-actions github-actions bot added the part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) label Nov 3, 2025
Copilot AI reviewed Nov 3, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces an automated workflow for managing Dependabot pull requests. The workflow will automatically approve and merge all Dependabot PRs without running any tests or checks.

  • Adds auto-approval and auto-merge functionality for all Dependabot updates
  • Uses the frequenz-floss/dependabot-auto-approve action with SHA pinning
  • Configures merge method as "merge" and adds an "auto-merged" label

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/auto-dependabot.yaml
Comment on lines +15 to +16
dependency-type: 'all'
auto-merge: 'true'
Copy link

Copilot AI Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-merging all Dependabot PRs without requiring CI checks to pass is risky. The workflow should include a check to ensure CI tests have passed before merging. Consider adding a needs dependency on CI jobs or configuring branch protection rules to require status checks.

Copilot uses AI. Check for mistakes.
.github/workflows/auto-dependabot.yaml
with:
dependency-type: 'all'
auto-merge: 'true'
merge-method: 'merge'
Copy link

Copilot AI Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The merge method 'merge' creates merge commits, which differs from the typical squash merge pattern often used for dependency updates. Consider using 'squash' to maintain a cleaner git history, or ensure this aligns with the project's merge strategy for Dependabot PRs.

Suggested change
merge-method: 'merge'
merge-method: 'squash'

Copilot uses AI. Check for mistakes.
.github/workflows/auto-dependabot.yaml
@@ -0,0 +1,18 @@
name: Dependabot Auto Manage
on: pull_request
Copy link

Copilot AI Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using the 'pull_request' trigger without specifying types means this workflow runs on every PR action (opened, synchronized, reopened, etc.), potentially triggering multiple auto-merge attempts. Consider specifying the trigger type as 'on: pull_request: types: [opened]' or ensuring the action is idempotent for repeated runs.

Suggested change
on: pull_request
on:
pull_request:
types: [opened]

Copilot uses AI. Check for mistakes.
@Marenz
Migrate to frequenz-floss dependabot-auto-approve action
cf2cbc0 
Use commit hash instead of version tag for better security and
reproducibility.

Signed-off-by: Mathias L. Baumann <[email protected]>
@Marenz Marenz force-pushed the update-dependabot-action branch from 911b53b to cf2cbc0 Compare November 4, 2025 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shsms shsms shsms approved these changes

@daniel-zullo-frequenz daniel-zullo-frequenz Awaiting requested review from daniel-zullo-frequenz daniel-zullo-frequenz is a code owner automatically assigned from frequenz-floss/python-sdk-team

Assignees

No one assigned

Labels

part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marenz @shsms