Skip to content

Add auto-approve and auto-merge for Dependabot PRs #211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 30, 2025
Merged

Add auto-approve and auto-merge for Dependabot PRs #211

merged 1 commit into from
Oct 30, 2025
+17 −0

Conversation

@Marenz
Copy link
Contributor

@Marenz Marenz commented Oct 30, 2025

Uses our own fork.

@Marenz Marenz requested a review from a team as a code owner October 30, 2025 12:22
@Marenz Marenz requested review from Copilot and llucax October 30, 2025 12:22
@github-actions github-actions bot added part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) part:dispatcher Affects the high-level dispatcher interface labels Oct 30, 2025
Copilot AI reviewed Oct 30, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces an automated workflow for managing Dependabot pull requests. The workflow automatically approves, merges, and labels Dependabot PRs to streamline dependency updates.

Key changes:

  • Adds a GitHub Actions workflow that triggers on all pull requests
  • Configures automatic approval and merging for all Dependabot dependency updates
  • Sets up appropriate permissions for the workflow to modify content and pull requests

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/auto-dependabot.yaml
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- uses: frequenz-floss/dependabot-auto-approve@v1
Copy link

Copilot AI Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a floating version tag (@v1) for a GitHub Action poses security risks. Pin to a specific commit SHA to ensure the workflow uses a known, immutable version. This prevents potential supply chain attacks if the action's v1 tag is moved to malicious code.

Suggested change
- uses: frequenz-floss/dependabot-auto-approve@v1
- uses: frequenz-floss/dependabot-auto-approve@c2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The source repo is under our control, so this adds convenience in staying major-version up-to-date

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, no sense pinning it down further unless we see actual issues from now on.

@Marenz Marenz merged commit 9c4c76b into frequenz-floss:v1.x.x Oct 30, 2025
12 checks passed
@Marenz Marenz deleted the autoup branch October 30, 2025 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@florian-wagner-frequenz florian-wagner-frequenz florian-wagner-frequenz approved these changes

@llucax llucax Awaiting requested review from llucax llucax is a code owner automatically assigned from frequenz-floss/api-dispatch-team

Assignees

No one assigned

Labels

part:dispatcher Affects the high-level dispatcher interface part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marenz @florian-wagner-frequenz