Migrate to frequenz-floss dependabot-auto-approve action #207
Conversation
Marenz
requested review from
florian-wagner-frequenz and
tiyash-basu-frequenz
github-actions
bot
added
the
part:tooling
There was a problem hiding this comment.
Pull Request Overview
This PR adds a GitHub Actions workflow to automatically merge pull requests created by Dependabot. The workflow triggers on all pull requests, checks if the actor is Dependabot, and uses a third-party action to auto-approve and merge the PR with the 'merge' method.
- Introduces automated Dependabot PR approval and merging
- Uses the frequenz-floss/dependabot-auto-approve action with commit hash pinning
- Grants necessary write permissions for contents and pull requests
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Auto-merge Dependabot PR | ||
| uses: frequenz-floss/dependabot-auto-approve@005e52004f5d5c6af2f81b89ec25e5cf6f3dfd77 # v1.3.0 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| merge-method: 'merge' |
There was a problem hiding this comment.
The action name 'dependabot-auto-approve' suggests it only approves PRs, but the workflow is configured to auto-merge them. Consider verifying this action performs both approval and merging as intended, or use GitHub's native auto-merge feature with 'gh pr merge --auto' in a run step instead for more explicit control.
| - name: Auto-merge Dependabot PR | |
| uses: frequenz-floss/dependabot-auto-approve@005e52004f5d5c6af2f81b89ec25e5cf6f3dfd77 # v1.3.0 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| merge-method: 'merge' | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up GitHub CLI | |
| uses: actions/setup-gh@v4 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Approve PR | |
| run: gh pr review ${{ github.event.pull_request.number }} --approve | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Auto-merge PR | |
| run: gh pr merge ${{ github.event.pull_request.number }} --auto --merge | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| name: Auto-merge Dependabot PRs | ||
|
|
||
| on: | ||
| pull_request: |
There was a problem hiding this comment.
[nitpick] The workflow triggers on all pull_request events without activity type filtering. Consider adding 'types: [opened, reopened, synchronize]' to avoid unnecessary workflow runs on events like 'labeled' or 'assigned'.
| pull_request: | |
| pull_request: | |
| types: [opened, reopened, synchronize] |
| uses: frequenz-floss/dependabot-auto-approve@005e52004f5d5c6af2f81b89ec25e5cf6f3dfd77 # v1.3.0 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
| merge-method: 'merge' |
There was a problem hiding this comment.
[nitpick] Using 'merge' creates merge commits for every Dependabot update, which can clutter the git history. Consider using 'squash' or 'rebase' to maintain a cleaner commit history, especially for dependency updates.
| merge-method: 'merge' | |
| merge-method: 'squash' |
Marenz
dismissed
tiyash-basu-frequenz’s stale review
The merge-base changed after approval.
Use commit hash instead of version tag for better security and reproducibility. Signed-off-by: Mathias L. Baumann <[email protected]>
Marenz
force-pushed
the
update-dependabot-action
branch
from
ab80a56 to
556f2fe
Compare
2 participants
Use commit hash instead of version tag for better security and reproducibility.