fix: resolve dependabot auto-merge workflow issues

[MitaliBhalla]

fix: resolve dependabot auto-merge workflow issues

• Remove invalid 'metadata: read' permission that causes GitHub Actions validation error
• Fix auto-merge API endpoint to use correct format with auto_merge parameter
• Improve label checking logic to be more permissive for Dependabot PRs
• Replace gh CLI commands with curl for better compatibility and consistency
• Ensure workflow only runs on upstream repository to prevent fork failures

Fixes auto-merge functionality for Dependabot PRs and resolves workflow validation errors.

What type of PR is this?

• fix (Bug Fix)
• feat (New Feature)
• docs (Documentation)
• test (Test Coverage)
• chore (Clean Up / Maintenance Tasks)
• other (Anything that doesn't fit the above)

What this PR does / Why we need it?

This PR fixes critical issues in the Dependabot auto-merge workflow that were preventing automatic merging of dependency updates:

1. Resolves GitHub Actions validation error - Removes the invalid metadata: read permission that was causing workflow validation failures
2. Fixes auto-merge API usage - Corrects the GitHub API endpoint to use the proper auto-merge format instead of immediate merge
3. Improves dependency detection - Makes label checking more permissive to handle various Dependabot PR label configurations
4. Ensures compatibility - Replaces gh CLI commands with curl for better runner compatibility
5. Prevents fork failures - Workflow is already configured to only run on the upstream repository

These fixes will enable automatic merging of patch and minor version dependency updates while requiring manual review for major version updates.

Which Jira/Github issue(s) does this PR fix?

• Fixes Dependabot auto-merge workflow validation and functionality issues

Special notes for your reviewer

• The workflow now uses the correct GitHub API endpoint for enabling auto-merge (/pulls/{pull_number} with auto_merge parameter)
• Label checking is more flexible - accepts area/dependency, dependencies, or any PR from dependabot[bot]
• All API calls use curl for consistency and better error handling
• The workflow will only execute on the upstream repository, preventing unnecessary runs on forks

Unit Test Coverage

Test coverage checks

• Added unit tests
• Created jira card to add unit test
• This PR may not need unit tests

This PR modifies GitHub Actions workflow configuration only - no application code changes that would require unit tests.

Pre-checks (if applicable)

• Ran unit tests locally
• Validated the changes in a cluster
• Included documentation changes with PR
• Backward compatible

Workflow changes are backward compatible and will improve existing Dependabot PR handling.

/label tide/merge-method-squash

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MitaliBhalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [MitaliBhalla]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.91%. Comparing base (21b161e) to head (6cd8031).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #885   +/-   ##
=======================================
  Coverage   52.91%   52.91%           
=======================================
  Files          86       86           
  Lines        6525     6525           
=======================================
  Hits         3453     3453           
  Misses       2610     2610           
  Partials      462      462           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[xiaoyu74]

Have you ever successfully used auto-merge for a PR before, but found it unstable or not working in certain scenarios?

Can see you use the GitHub REST API, I'm not sure whether auto-merge is actually supported. I found this discussion (https://github.com/orgs/community/discussions/24719
), and a recent reply in 2025 suggests it’s still unavailable?

[xiaoyu74]

If dependency name contains " or special characters, it can break JSON structure, may be better to use jq for better handle any JSON Escaping.

[xiaoyu74]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Walkthrough

GitHub Actions workflow for dependabot auto-merge was updated to remove a permission declaration, expand label-based acceptance criteria for auto-merge, switch from the gh CLI tool to direct curl API calls for posting PR comments, and modify the auto-merge implementation method.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/dependabot-auto-merge.yml	Removed metadata: read permission; expanded PR label acceptance logic to check for both 'dependencies' and 'area/dependency' labels; replaced gh pr comment commands with direct curl API calls for improved token handling; switched auto-merge mechanism from PR merge endpoint to auto\_merge field in PR payload.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/dependabot-auto-merge.yml (1)

55-60: ⚠️ Potential issue | 🔴 Critical

This API call will fail — auto_merge is not a writable field in the REST API.

The code uses PUT to set auto_merge, but:

1. The REST API endpoint for pull requests uses PATCH (not PUT), and even then auto_merge is read-only. The endpoint only accepts: title, body, state, base, and maintainer_can_modify.
2. To enable auto-merge programmatically, use the GraphQL mutation enablePullRequestAutoMerge or the gh CLI.

The simplest fix is to use gh pr merge --auto:

Proposed fix

-          # Enable auto-merge using GitHub API (token is automatically masked in logs)
-          response=$(curl -s -w "%{http_code}" -o /tmp/response.json \
-            -X PUT \
-            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer $GH_TOKEN" \
-            "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}" \
-            -d '{"auto_merge":{"merge_method":"merge"}}')
-          
-          if [[ "$response" -eq 200 ]]; then
-            echo "✅ Auto-merge enabled successfully"
-            cat /tmp/response.json
-          else
-            echo "❌ Failed to enable auto-merge. HTTP status: $response"
-            echo "Response body:"
-            cat /tmp/response.json
-            echo "::warning::Could not enable auto-merge due to permissions. PR labeled for manual review."
-            
-            # Add a comment to the PR explaining the situation (token is automatically masked)
-            curl -s -X POST \
-              -H "Accept: application/vnd.github+json" \
-              -H "Authorization: Bearer $GH_TOKEN" \
-              "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
-              -d '{"body":"🤖 **Dependabot Auto-Merge Status**\n\nThis PR meets the criteria for auto-merge but could not be automatically merged due to repository permissions.\n\n**Details:**\n- Update type: ${{ steps.metadata.outputs.update-type }}\n- Dependencies: ${{ steps.metadata.outputs.dependency-names }}\n- Previous version: ${{ steps.metadata.outputs.previous-version }}\n- New version: ${{ steps.metadata.outputs.new-version }}\n\nPlease review and merge manually if appropriate."}'
-          fi
+          # Enable auto-merge via gh CLI
+          if gh pr merge "${{ github.event.pull_request.number }}" --auto --squash; then
+            echo "✅ Auto-merge enabled successfully"
+          else
+            echo "❌ Failed to enable auto-merge"
+            echo "::warning::Could not enable auto-merge. PR flagged for manual review."
+            gh pr comment "${{ github.event.pull_request.number }}" \
+              --body "🤖 **Dependabot Auto-Merge Status**
+
+This PR meets the criteria for auto-merge but could not be automatically merged due to repository permissions.
+
+**Details:**
+- Update type: ${{ steps.metadata.outputs.update-type }}
+- Dependencies: ${{ steps.metadata.outputs.dependency-names }}
+- Previous version: ${{ steps.metadata.outputs.previous-version }}
+- New version: ${{ steps.metadata.outputs.new-version }}
+
+Please review and merge manually if appropriate."
+          fi

Note: The PR is labeled tide/merge-method-squash, so --squash is the intended merge method rather than "merge".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependabot-auto-merge.yml around lines 55 - 60, The
workflow is trying to set the read-only auto_merge field via a PUT to the REST
pulls endpoint (setting "auto_merge" in the curl payload) which will fail;
replace this approach by either calling the GraphQL mutation
enablePullRequestAutoMerge for the PR or, simpler, invoke the GitHub CLI to
enable auto-merge with the intended method (use gh pr merge --auto --squash for
this PR labeled tide/merge-method-squash) instead of using curl with
"auto_merge" and PUT.

🧹 Nitpick comments (2)

.github/workflows/dependabot-auto-merge.yml (2)

31-39: Label check is always true — the step is effectively dead code.

The job-level if (line 17) already restricts execution to github.actor == 'dependabot[bot]', so the fallback on line 35 (github.actor == "dependabot[bot]") is always true. This means has-required-labels will always be true, and the label checks on lines 33–34 are never decisive.

If the intent is to auto-merge all dependabot PRs (patch/minor), you can remove this step entirely. If the intent is to require a label even for dependabot PRs, remove the actor check on line 35.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependabot-auto-merge.yml around lines 31 - 39, The
conditional that sets has-required-labels is always true because the job-level
if already restricts to github.actor == 'dependabot[bot]'; update the if in the
block that writes has-required-labels so it actually enforces label checks:
either remove the entire step that sets has-required-labels if you intend to
auto-merge all Dependabot PRs, or remove the github.actor == "dependabot[bot]"
clause from the condition and keep only the two contains(...) checks (for
'area/dependency' and 'dependencies') so the labels are required even for
dependabot PRs; modify the shell if that currently contains
contains(github.event.pull_request.labels.*.name, 'area/dependency') and
contains(..., 'dependencies') accordingly.

---

86-91: JSON body may break if dependency metadata contains special characters.

The interpolated values (dependency-names, versions) are injected directly into the JSON string. If any value contains ", \, or newlines, the JSON payload will be malformed and the API call will fail silently (-s flag suppresses errors).

Consider using jq to safely construct the JSON body, or switch to gh pr comment which handles escaping:

Example with jq

-          curl -s -X POST \
-            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer $GH_TOKEN" \
-            "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
-            -d '{"body":"🚨 **Major Version Update Detected** 🚨\n\n..."}'
+          BODY=$(jq -n --arg dep "${{ steps.metadata.outputs.dependency-names }}" \
+            --arg prev "${{ steps.metadata.outputs.previous-version }}" \
+            --arg new "${{ steps.metadata.outputs.new-version }}" \
+            '{body: "🚨 **Major Version Update Detected** 🚨\n\nThis PR contains a major version update that requires manual review:\n- **Dependency:** \($dep)\n- **Previous version:** \($prev)\n- **New version:** \($new)\n\nPlease review the changelog and breaking changes before merging.\n\nAuto-merge has been **disabled** for this PR."}')
+          curl -s -X POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer $GH_TOKEN" \
+            "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+            -d "$BODY"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependabot-auto-merge.yml around lines 86 - 91, The
hardcoded JSON in the curl call can break when interpolated variables
(steps.metadata.outputs.dependency-names, previous-version, new-version) contain
quotes, backslashes, or newlines; update the dependabot-auto-merge.yml step that
constructs the comment (the curl -s -X POST block) to build the JSON
safely—either: use jq to construct the payload (e.g., jq -n --arg dep "${{
steps.metadata.outputs.dependency-names }}" --arg prev "${{
steps.metadata.outputs.previous-version }}" --arg new "${{
steps.metadata.outputs.new-version }}" '...') and pipe that into curl with
--data `@-`, or replace the curl call with gh pr comment which accepts unescaped
text and handles escaping for you; ensure you keep the Authorization token usage
or use the GH action's built-in authentication when switching to gh.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 55-60: The workflow is trying to set the read-only auto_merge
field via a PUT to the REST pulls endpoint (setting "auto_merge" in the curl
payload) which will fail; replace this approach by either calling the GraphQL
mutation enablePullRequestAutoMerge for the PR or, simpler, invoke the GitHub
CLI to enable auto-merge with the intended method (use gh pr merge --auto
--squash for this PR labeled tide/merge-method-squash) instead of using curl
with "auto_merge" and PUT.

---

Nitpick comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 31-39: The conditional that sets has-required-labels is always
true because the job-level if already restricts to github.actor ==
'dependabot[bot]'; update the if in the block that writes has-required-labels so
it actually enforces label checks: either remove the entire step that sets
has-required-labels if you intend to auto-merge all Dependabot PRs, or remove
the github.actor == "dependabot[bot]" clause from the condition and keep only
the two contains(...) checks (for 'area/dependency' and 'dependencies') so the
labels are required even for dependabot PRs; modify the shell if that currently
contains contains(github.event.pull_request.labels.*.name, 'area/dependency')
and contains(..., 'dependencies') accordingly.
- Around line 86-91: The hardcoded JSON in the curl call can break when
interpolated variables (steps.metadata.outputs.dependency-names,
previous-version, new-version) contain quotes, backslashes, or newlines; update
the dependabot-auto-merge.yml step that constructs the comment (the curl -s -X
POST block) to build the JSON safely—either: use jq to construct the payload
(e.g., jq -n --arg dep "${{ steps.metadata.outputs.dependency-names }}" --arg
prev "${{ steps.metadata.outputs.previous-version }}" --arg new "${{
steps.metadata.outputs.new-version }}" '...') and pipe that into curl with
--data `@-`, or replace the curl call with gh pr comment which accepts unescaped
text and handles escaping for you; ensure you keep the Authorization token usage
or use the GH action's built-in authentication when switching to gh.