Add Dependabot auto-merge workflow #203
Conversation
github-actions
bot
added
the
part:tooling
There was a problem hiding this comment.
Pull Request Overview
Adds a GitHub Actions workflow to automatically approve and merge Dependabot pull requests.
- Introduces a workflow triggered on pull_request events with a job gated to Dependabot actor.
- Uses an external action to auto-approve and merge using the merge method.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| jobs: | ||
| auto-merge: | ||
| if: github.actor == 'dependabot[bot]' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Auto-merge Dependabot PR | ||
| uses: ad/dependabot-auto-approve@v1 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| merge-method: 'merge' No newline at end of file |
There was a problem hiding this comment.
The workflow is missing a permissions block; by default GITHUB_TOKEN has read-only contents permission and cannot approve or merge PRs. Add explicit permissions (either at the workflow root or under the job) such as: permissions: contents: write pull-requests: write to enable the action to approve and merge Dependabot PRs.
Marenz
force-pushed
the
add-dependabot-workflow
branch
2 times, most recently
from
dd08a20 to
22d6ad2
Compare
| uses: ad/dependabot-auto-approve@v1 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| merge-method: 'merge' No newline at end of file |
There was a problem hiding this comment.
Nit: VSCode does it's thing of swallowing the trailing newline, which technically makes non POSIX compliant files.
But I guess that ship has passed.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Auto-merge Dependabot PR | ||
| uses: ad/dependabot-auto-approve@v1 |
There was a problem hiding this comment.
This doesn't seem to be a github (the company) owned action.
Would it make sense to vendor this to prevent supply chain attacks? The underlying repo looks quite new (september 9th) and has exactly one developer (ad) who seems to have coded it in a single day.
I am not sure what our stance is here, but I'd argue for having less external dependencies, especially if they're this small.
There was a problem hiding this comment.
It's a fair point @llucax ^
Signed-off-by: Mathias L. Baumann <[email protected]>
Marenz
force-pushed
the
add-dependabot-workflow
branch
from
22d6ad2 to
be2b89c
Compare
2 participants
Summary
mergemethod for clean commit history