Skip to content

Add Dependabot auto-merge workflow#229

Merged
Marenz merged 2 commits intofrequenz-floss:v0.x.xfrom
Marenz:add-dependabot-workflow
Nov 3, 2025
Merged

Add Dependabot auto-merge workflow#229
Marenz merged 2 commits intofrequenz-floss:v0.x.xfrom
Marenz:add-dependabot-workflow

Conversation

@Marenz
Copy link
Contributor

@Marenz Marenz commented Oct 20, 2025

Summary

  • Add GitHub workflow to automatically approve and merge Dependabot PRs
  • Uses merge method for clean commit history

Copilot AI review requested due to automatic review settings October 20, 2025 13:28
@Marenz Marenz requested review from a team as code owners October 20, 2025 13:28
@github-actions github-actions bot added part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) part:dispatcher labels Oct 20, 2025
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds a GitHub Actions workflow to automatically approve and merge Dependabot pull requests using a merge commit for clean history.

  • Introduces a new workflow file auto-dependabot.yaml.
  • Configures a job gated by actor check for dependabot[bot].
  • Uses a third-party action to auto-approve and merge PRs with merge-method set to merge.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.github/workflows/auto-dependabot.yaml Outdated
Comment on lines 6 to 15
Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow relies on GITHUB_TOKEN to approve and merge, but no explicit permissions block is set; GitHub defaults may be read-only and cause the action to fail. Add a top-level permissions section: permissions: contents: write, pull-requests: write to ensure the action can approve and merge.

Copilot uses AI. Check for mistakes.
.github/workflows/auto-dependabot.yaml Outdated
Comment on lines 11 to 15
Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] This configuration will auto-merge every Dependabot PR regardless of update type (major/minor/patch), which can introduce breaking changes automatically. Consider adding logic (e.g., fetch metadata action + conditional) to restrict merges to patch/minor versions only.

Copilot uses AI. Check for mistakes.
.github/workflows/auto-dependabot.yaml

on:
pull_request:

Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Triggering on all pull_request event types can create unnecessary workflow runs; specify types (e.g., types: [opened, synchronize, reopened]) to reduce redundant executions.

Suggested change
types: [opened, synchronize, reopened]

Copilot uses AI. Check for mistakes.
llucax
llucax previously approved these changes Oct 20, 2025
View reviewed changes
@Marenz Marenz force-pushed the add-dependabot-workflow branch from 7302d94 to 2798df9 Compare October 20, 2025 14:58
@Marenz Marenz force-pushed the add-dependabot-workflow branch from 2798df9 to e05eeda Compare October 20, 2025 15:17
llucax
llucax previously approved these changes Oct 21, 2025
View reviewed changes
Copy link
Contributor

@llucax llucax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick.

.github/workflows/auto-dependabot.yaml Outdated
Copy link
Contributor

@llucax llucax Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing EOL.

@Marenz Marenz force-pushed the add-dependabot-workflow branch from e05eeda to 7b92c62 Compare October 22, 2025 10:01
@Marenz
Add Dependabot auto-merge workflow
209adc2 
Signed-off-by: Mathias L. Baumann <mathias.baumann@frequenz.com>
@Marenz Marenz force-pushed the add-dependabot-workflow branch from 7b92c62 to 209adc2 Compare October 28, 2025 15:46
@Marenz
Update Dependabot auto-merge workflow
ed47341 
Signed-off-by: Mathias L. Baumann <mathias.baumann@frequenz.com>
@Marenz Marenz merged commit fbd59b8 into frequenz-floss:v0.x.x Nov 3, 2025
6 checks passed
@Marenz Marenz deleted the add-dependabot-workflow branch November 3, 2025 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@llucax llucax llucax left review comments

@ela-kotulska-frequenz ela-kotulska-frequenz Awaiting requested review from ela-kotulska-frequenz ela-kotulska-frequenz is a code owner automatically assigned from frequenz-floss/api-dispatch-team

Assignees

No one assigned

Labels

part:dispatcher part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marenz @llucax

Comments