Add Dependabot auto-merge workflow#236
Conversation
Signed-off-by: Mathias L. Baumann <mathias.baumann@frequenz.com>
Marenz
requested review from
Copilot,
ela-kotulska-frequenz and
stefan-brus-frequenz
github-actions
bot
added
part:tooling
|
old pr aimed at v0.x.x |
There was a problem hiding this comment.
Pull Request Overview
This PR adds a new GitHub Actions workflow to automatically manage Dependabot pull requests. The workflow automatically approves and merges all Dependabot PRs using the frequenz-floss/dependabot-auto-approve action.
- Adds auto-approval and auto-merge functionality for all Dependabot PRs
- Configures the workflow to use merge commits and add an 'auto-merged' label
- Grants necessary permissions for contents and pull requests
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,18 @@ | |||
| name: Dependabot Auto Manage | |||
| on: pull_request | |||
There was a problem hiding this comment.
The workflow triggers on all pull_request events without restricting to specific activity types. This means it will run on opened, synchronize, reopened, and other PR events, potentially causing multiple approval/merge attempts. Consider specifying activity types like 'on: pull_request: types: [opened, synchronize]' to prevent unnecessary runs.
| on: pull_request | |
| on: | |
| pull_request: | |
| types: [opened, synchronize] |
| steps: | ||
| - uses: frequenz-floss/dependabot-auto-approve@v1.3.0 | ||
| with: | ||
| dependency-type: 'all' |
There was a problem hiding this comment.
Auto-merging all dependency types including major updates could introduce breaking changes without review. Consider setting dependency-type to 'production:semver-patch' or 'production:semver-minor' to limit auto-merge to safer updates, consistent with the grouped update strategy in .github/dependabot.yml which treats major updates separately.
| dependency-type: 'all' | |
| dependency-type: 'production:semver-patch' |
1 participant
Needs to be in v1.x.x