Skip to content

Add Dependabot Auto Manage workflow #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 22, 2025
Merged

Add Dependabot Auto Manage workflow #230

merged 1 commit into from
Oct 22, 2025

Conversation

@Marenz
Copy link
Contributor

@Marenz Marenz commented Oct 15, 2025

Summary

  • Add GitHub Actions workflow to automatically approve and merge Dependabot PRs
  • Uses ad/dependabot-auto-approve action with merge method
  • Applies to all dependency types and adds 'auto-merged' label

Copilot AI review requested due to automatic review settings October 15, 2025 09:32
@github-actions github-actions bot added the part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) label Oct 15, 2025
Copilot AI reviewed Oct 15, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds a GitHub Actions workflow to automatically approve and merge Dependabot pull requests, streamlining dependency updates with minimal manual intervention.

  • Introduces automated approval and merging for all Dependabot PRs
  • Configures the workflow to trigger on pull request events with proper permissions
  • Sets up labeling for auto-merged PRs to maintain visibility

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.github/workflows/auto-dependabot.yaml Outdated
@@ -0,0 +1,18 @@
name: Dependabot Auto Manage
on: pull_request
Copy link

Copilot AI Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using 'pull_request' trigger allows external contributors to trigger this workflow. Consider using 'pull_request_target' with additional safety checks, or restrict to specific event types like 'opened' and 'synchronize'.

Suggested change
on: pull_request
on:
pull_request:
types: [opened, synchronize]

Copilot uses AI. Check for mistakes.
@Marenz
Copy link
Contributor Author

Marenz commented Oct 15, 2025

Seems the settings for allowed actions need to be updated to make this one work:

The action ad/dependabot-auto-approve@v1 is not allowed in frequenz-floss/frequenz-client-reporting-python because all actions must be from a repository owned by frequenz-floss, created by GitHub, verified in the GitHub Marketplace, or match one of the patterns: PyO3/maturin-action@, brettcannon/check-for-changed-files@, yoheimuta/action-protolint@*.

@Marenz Marenz force-pushed the add-dependabot-auto-merge branch 2 times, most recently from aac7b94 to 04c4e63 Compare October 15, 2025 09:48
@Marenz
Copy link
Contributor Author

Marenz commented Oct 20, 2025
edited
Loading

Someone with the appropriate permissions need to whitelist the used action ad/dependabot-auto-approve@v1 if you desire the feature of this PR.

@Marenz
Add Dependabot Auto Manage workflow
65c5744 
Signed-off-by: Mathias L. Baumann <[email protected]>
@Marenz Marenz force-pushed the add-dependabot-auto-merge branch from 04c4e63 to 65c5744 Compare October 22, 2025 10:05
@Marenz Marenz added this pull request to the merge queue Oct 22, 2025
Merged via the queue into frequenz-floss:v0.x.x with commit 88b963e Oct 22, 2025
5 checks passed
@Marenz Marenz deleted the add-dependabot-auto-merge branch October 22, 2025 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cwasicki cwasicki cwasicki approved these changes

Assignees

No one assigned

Labels

part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marenz @cwasicki