ci: add Dependabot grouping and auto-merge for patch/minor#40
ci: add Dependabot grouping and auto-merge for patch/minor#40
Conversation
- Group all npm patch/minor updates into a single weekly PR - Group all GitHub Actions updates into a single weekly PR - Major version bumps remain as individual PRs for manual review - Wire up shared auto-merge workflow from benhigham/.github
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Adds Dependabot update batching and introduces an automated merge workflow to reduce maintenance overhead from dependency update PRs.
Changes:
- Groups npm patch/minor Dependabot updates into a single weekly PR.
- Groups GitHub Actions updates into a single weekly PR.
- Adds a workflow that calls a shared reusable workflow to auto-approve/merge eligible Dependabot PRs.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/dependabot.yml | Adds grouping configuration for npm and GitHub Actions Dependabot updates. |
| .github/workflows/dependabot-auto-merge.yml | Introduces a reusable-workflow-based auto-merge job for Dependabot PRs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| pull_request: | ||
|
|
||
| jobs: | ||
| auto-merge: |
There was a problem hiding this comment.
This workflow doesn’t declare required permissions. By default the GITHUB_TOKEN is read-only in many org/repo setups, so approving/merging may fail. Add explicit minimal permissions (typically pull-requests: write and contents: write) either at the workflow or job level to ensure the reusable workflow can operate.
| auto-merge: | |
| auto-merge: | |
| permissions: | |
| contents: write | |
| pull-requests: write |
| groups: | ||
| github-actions: | ||
| patterns: | ||
| - '*' |
There was a problem hiding this comment.
github-actions grouping uses patterns: ['*'] without restricting update-types, which will also group major updates. That conflicts with the PR description (“Major bumps stay as individual PRs”). Add update-types: ['minor','patch'] (or otherwise exclude majors) so major GitHub Actions updates remain separate for manual review.
| pull_request: | ||
|
|
||
| jobs: | ||
| auto-merge: |
There was a problem hiding this comment.
The workflow triggers on every pull_request and does not restrict execution to Dependabot PRs. If the called reusable workflow doesn’t hard-guard internally, this could approve/merge non-Dependabot PRs. Add an explicit condition (e.g., if: github.actor == 'dependabot[bot]' / github.event.pull_request.user.login == 'dependabot[bot]') and consider limiting the trigger types to reduce unintended runs.
| pull_request: | |
| jobs: | |
| auto-merge: | |
| pull_request: | |
| types: [opened, reopened, synchronize] | |
| jobs: | |
| auto-merge: | |
| if: github.event.pull_request.user.login == 'dependabot[bot]' |
- dependabot.yml: add patterns + update-types to both groups (majors stay individual) - workflow: add permissions block (contents: write, pull-requests: write) - workflow: add if: github.actor == 'dependabot[bot]' guard - workflow: add concurrency block to prevent racing - workflow: pin reusable workflow to commit SHA instead of @main - workflow: remove secrets: inherit (GITHUB_TOKEN is implicit)
…ew fixes Sync changes reviewed and approved in benhigham/prettier-config#40: - Narrow pull_request trigger to [opened, reopened] only - Move permissions to job level; set top-level permissions: {} - Set cancel-in-progress: false (don't cancel in-flight merges) - Add comment linking to upstream reusable workflow for debugging Ref: benhigham/prettier-config#40
Summary
Groups weekly Dependabot PRs and enables auto-merge for patch/minor updates.
Changes
.github/dependabot.yml.github/workflows/dependabot-auto-merge.yml(new)auto-merge-dependabotworkflow frombenhigham/.githubResult
Weekly maintenance drops from many small PRs to at most 2 (npm batch + actions batch), both auto-merging on schedule.
Raised by Kael 🔗