Skip to content

Add Dependabot auto-merge workflow #95

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 3, 2025
Merged

Add Dependabot auto-merge workflow #95

merged 1 commit into from
Nov 3, 2025

Conversation

@Marenz
Copy link
Contributor

@Marenz Marenz commented Nov 3, 2025

Adds automatic approval and merging of Dependabot PRs using the frequenz-floss/[email protected] action.

@Marenz
Add Dependabot auto-merge workflow
dbbcc81 
Signed-off-by: Mathias L. Baumann <[email protected]>
Copilot AI review requested due to automatic review settings November 3, 2025 09:25
@Marenz Marenz requested a review from a team as a code owner November 3, 2025 09:25
@Marenz Marenz requested a review from shsms November 3, 2025 09:25
@Marenz Marenz enabled auto-merge November 3, 2025 09:26
@github-actions github-actions bot added the part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) label Nov 3, 2025
Copilot AI reviewed Nov 3, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a GitHub Actions workflow to automatically approve and merge Dependabot pull requests. The workflow is triggered on pull requests created by the Dependabot bot and uses a third-party action to handle the auto-approval and merging process.

  • Introduces automated Dependabot PR handling
  • Configures merge method as "merge" (non-squash)
  • Uses frequenz-floss/[email protected] action

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/auto-dependabot.yaml
Comment on lines +10 to +11
steps:
- name: Auto-approve and merge Dependabot PRs
Copy link

Copilot AI Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using secrets.GITHUB_TOKEN with auto-merge for Dependabot PRs bypasses code review and CI checks. Consider adding conditions to verify that CI checks have passed before auto-merging, or restrict auto-merge to patch/minor updates only to reduce risk of breaking changes being merged automatically.

Suggested change
steps:
- name: Auto-approve and merge Dependabot PRs
steps:
- name: Wait for required status checks
uses: actions/github-script@v6
id: check-status
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const pr = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
});
const sha = pr.data.head.sha;
const checks = await github.rest.checks.listForRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: sha,
});
const failed = checks.data.check_runs.filter(
c => c.status === "completed" && c.conclusion !== "success"
);
if (failed.length > 0) {
core.setFailed("Some required status checks have not passed.");
}
- name: Auto-approve and merge Dependabot PRs
if: steps.check-status.outcome == 'success'

Copilot uses AI. Check for mistakes.
.github/workflows/auto-dependabot.yaml
name: Auto-approve Dependabot PRs

on:
pull_request:
Copy link

Copilot AI Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow triggers on all pull_request events but only processes Dependabot PRs. Consider using pull_request_target event with type filters like [opened, synchronize, reopened] to better control when this workflow runs, or add types to the pull_request trigger to avoid unnecessary workflow executions.

Suggested change
pull_request:
pull_request:
types: [opened, synchronize, reopened]

Copilot uses AI. Check for mistakes.
@Marenz Marenz added this pull request to the merge queue Nov 3, 2025
Merged via the queue into frequenz-floss:v0.x.x with commit d806213 Nov 3, 2025
12 checks passed
@Marenz Marenz deleted the add-dependabot-workflow branch November 3, 2025 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@llucax llucax llucax approved these changes

@shsms shsms Awaiting requested review from shsms shsms is a code owner automatically assigned from frequenz-floss/python-sdk-team

Assignees

No one assigned

Labels

part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marenz @llucax