Skip to content

Add Dependabot auto-merge workflow and migration script #466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Marenz merged 3 commits into from
Nov 19, 2025
Merged

Add Dependabot auto-merge workflow and migration script #466

Marenz merged 3 commits into from
Nov 19, 2025

Conversation

@Marenz
Copy link
Contributor

@Marenz Marenz commented Nov 11, 2025
edited
Loading

Summary

  • Adds auto-merge workflow for Dependabot PRs using frequenz-floss/dependabot-auto-approve action
  • Includes migration script to create workflow file and disable CODEOWNERS review requirement via GitHub API
  • Splits changes into two commits: reset migration script to template, then add new migration steps

Changes

First commit: Reset cookiecutter/migrate.py to template, removing old migration steps

Second commit:

  • Add create_dependabot_auto_merge_workflow() function
  • Add disable_codeowners_review_requirement() function to update GitHub rulesets
  • Include workflow template in cookiecutter
  • Regenerate golden test files

@Marenz Marenz requested a review from a team as a code owner November 11, 2025 18:37
@github-actions github-actions bot added the part:template Affects the cookiecutter template files label Nov 11, 2025
@Marenz Marenz changed the title auto dependabot merge Add Dependabot auto-merge workflow and migration script Nov 11, 2025
Copilot AI reviewed Nov 11, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds Dependabot auto-merge functionality to streamline dependency updates. It creates a GitHub Actions workflow to automatically merge Dependabot PRs and updates the migration script to create this workflow and disable the CODEOWNERS review requirement for automated merges.

Key changes:

  • Added new auto-dependabot.yaml workflow for automatic Dependabot PR merging
  • Updated migration script to create the workflow and modify GitHub ruleset settings
  • Added/updated lockfile (uv.lock) with project dependencies

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.

File Description
uv.lock Added complete dependency lockfile with pinned versions
auto-dependabot.yaml (multiple) New GitHub Actions workflow for auto-merging Dependabot PRs
cookiecutter/migrate.py Refactored migration script to create auto-merge workflow and disable CODEOWNERS requirement

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Marenz Marenz force-pushed the auto-dependabot-merge branch from 7000fbf to 3759886 Compare November 11, 2025 18:41
@Marenz Marenz requested a review from llucax November 11, 2025 18:41
@Marenz Marenz force-pushed the auto-dependabot-merge branch from 3759886 to 12291ef Compare November 12, 2025 15:23
@Marenz
Copy link
Contributor Author

Marenz commented Nov 18, 2025
edited
Loading

While testing in the FCR Repo I found it still didn't work and added the fix you see here, after which it finally worked

@Marenz Marenz force-pushed the auto-dependabot-merge branch from 6f887e0 to c3d5f4d Compare November 18, 2025 09:08
@Marenz
Copy link
Contributor Author

Marenz commented Nov 18, 2025
edited
Loading

Adds auto-merge: 'true' to the Dependabot workflow template.

Migration script fixes:

  • Was skipping existing files instead of updating them
  • Was matching job name auto-merge: instead of parameter auto-merge: 'true'
  • Only checked auto-dependabot.yaml, now searches all workflow files

The script writes the updated workflow file directly - users still need to review, commit with DCO+GPG, and create a PR.

@Marenz Marenz force-pushed the auto-dependabot-merge branch 2 times, most recently from ef2b370 to b9b8def Compare November 18, 2025 09:22
@Marenz
Reset migration script to template
0dcf7c2 
Signed-off-by: Mathias L. Baumann <[email protected]>
llucax
llucax reviewed Nov 18, 2025
View reviewed changes
@Marenz Marenz force-pushed the auto-dependabot-merge branch from b9b8def to 94439fc Compare November 18, 2025 13:34
@github-actions github-actions bot added the part:ci Affects the GitHub workflow and other parts for running CI label Nov 18, 2025
@Marenz
Copy link
Contributor Author

Marenz commented Nov 18, 2025

Updated the branch with some refactoring and cleanup:

  • Refactored the migration script by extracting helper functions (get_default_branch(), find_version_branch_ruleset(), update_ruleset()) for better code organization and error handling
  • Improved error messages with proper manual_step() calls that provide direct GitHub settings URLs when API operations fail
  • Standardized the Dependabot workflow formatting across all templates and golden test files (consistent naming, label changed to tool:auto-merged, YAML formatting)
  • Fixed the release notes - they were accidentally removed in the previous iteration, now properly documenting the new auto-merge feature
  • Removed uv.lock that shouldn't have been committed

llucax
llucax previously approved these changes Nov 19, 2025
View reviewed changes
Copy link
Contributor

@llucax llucax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 small comments, feel free to force-merge if you want to fix them.

cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/auto-dependabot.yaml Outdated
- name: Auto-merge Dependabot PR
uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2
with:
github-token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
Copy link
Contributor

@llucax llucax Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick: To avoid any other issues with template interpretation, other workflows actually just wrap the whole file between {% raw %} and {% endraw %}, maybe it would be better to do it in this file too, as it would be rare that we want to use any other template features in it.

cookiecutter/migrate.py Outdated
Comment on lines 167 to 168
except subprocess.CalledProcessError:
return False
Copy link
Contributor

@llucax llucax Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick: Print the exception for more context of why it failed?

@llucax llucax added this to the v0.14.0 milestone Nov 19, 2025
This was linked to issues Nov 19, 2025
Auto-merge dependabot updates passing tests #287
Closed
Add auto-dependabot.yaml workflow to repo-config and migrate script #465
Closed
@Marenz
Add Dependabot auto-merge workflow and CODEOWNERS bypass
83bec3e 
- Add auto-dependabot.yaml workflow to auto-merge Dependabot PRs
- Implement migration script functions to create workflow files
- Add GitHub API integration to disable CODEOWNERS review requirement
- Update all cookiecutter templates and golden test files

Signed-off-by: Mathias L. Baumann <[email protected]>
@Marenz
Add release notes for Dependabot auto-merge feature
688abed 
Signed-off-by: Mathias L. Baumann <[email protected]>
@Marenz Marenz force-pushed the auto-dependabot-merge branch from 1693937 to 688abed Compare November 19, 2025 10:56
@Marenz Marenz merged commit 4b1aa9a into frequenz-floss:v0.x.x Nov 19, 2025
6 checks passed
@Marenz Marenz deleted the auto-dependabot-merge branch November 19, 2025 11:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@llucax llucax llucax left review comments

@daniel-zullo-frequenz daniel-zullo-frequenz Awaiting requested review from daniel-zullo-frequenz daniel-zullo-frequenz is a code owner automatically assigned from frequenz-floss/python-sdk-team

Assignees

No one assigned

Labels

part:ci Affects the GitHub workflow and other parts for running CI part:template Affects the cookiecutter template files

Projects

None yet

Milestone

v0.14.0

Development

Successfully merging this pull request may close these issues.

Add auto-dependabot.yaml workflow to repo-config and migrate script Auto-merge dependabot updates passing tests

2 participants

@Marenz @llucax