-
Notifications
You must be signed in to change notification settings - Fork 0
feat: Dependabot with auto-merge on CI success #3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
52e31ea
b11b3c6
e59bd67
1ab55b5
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| version: 2 | ||
| updates: | ||
| - package-ecosystem: "pip" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| cooldown: | ||
| default-days: 7 | ||
| open-pull-requests-limit: 5 | ||
| labels: | ||
| - "dependencies" | ||
| - "python" | ||
|
|
||
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| cooldown: | ||
| default-days: 7 | ||
| open-pull-requests-limit: 5 | ||
| labels: | ||
| - "dependencies" | ||
| - "github-actions" | ||
|
Comment on lines
+1
to
+23
|
||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,37 @@ | ||||||||||||||||||||||||||||||
| name: Dependabot Auto-Merge | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||||||||||
| branches: ["**"] | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| permissions: {} | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||||||
| auto-merge: | ||||||||||||||||||||||||||||||
| name: Auto-merge Dependabot PRs | ||||||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||||||
| if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name | ||||||||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||||||||
| contents: write | ||||||||||||||||||||||||||||||
| pull-requests: write | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||||||||
| - name: Fetch Dependabot metadata | ||||||||||||||||||||||||||||||
| id: metadata | ||||||||||||||||||||||||||||||
| uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 | ||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| - name: Approve PR | ||||||||||||||||||||||||||||||
| if: steps.metadata.outputs.update-type != 'version-update:semver-major' | ||||||||||||||||||||||||||||||
| run: gh pr review --approve "$PR_URL" | ||||||||||||||||||||||||||||||
| env: | ||||||||||||||||||||||||||||||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||||||||||||||||||||||||||||||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| - name: Enable auto-merge | ||||||||||||||||||||||||||||||
| if: steps.metadata.outputs.update-type != 'version-update:semver-major' | ||||||||||||||||||||||||||||||
| run: gh pr merge --auto --squash "$PR_URL" | ||||||||||||||||||||||||||||||
| env: | ||||||||||||||||||||||||||||||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||||||||||||||||||||||||||||||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||||||||||||||||||||||||||||||
|
Comment on lines
+30
to
+37
|
||||||||||||||||||||||||||||||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Enable auto-merge | |
| run: gh pr merge --auto --squash "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GH_TOKEN: ${{ secrets.DEPENDABOT_AUTOMERGE_TOKEN }} | |
| - name: Enable auto-merge | |
| run: gh pr merge --auto --squash "$PR_URL" | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.DEPENDABOT_AUTOMERGE_TOKEN }} |
Copilot
AI
Feb 22, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The auto-merge step lacks error handling and doesn't verify that approval succeeded first. If the previous approval step fails but continues, this step will attempt to enable auto-merge on an unapproved PR, which will fail. The workflow should either fail fast on approval errors or check if approval succeeded before attempting auto-merge. Consider adding a conditional check or proper error handling between these steps.
Copilot
AI
Feb 22, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The workflow is missing security filtering for Dependabot PR types. Currently, it will auto-approve and auto-merge all Dependabot PRs regardless of whether they are patch, minor, or major version updates. Major version updates can introduce breaking changes. Consider adding logic to filter by update type (e.g., only auto-merge patch and minor updates) or by dependency criticality. You can access this information via github.event.pull_request.labels or by parsing the PR title/body.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pip ecosystem configuration should include a
groupsspecification. Looking at pyproject.toml, the project uses dependency groups (dev group with tools like pytest, mypy, ruff). Without thegroupsfield, Dependabot will only update runtime dependencies, not dev dependencies. Addgroups: ["dev"]to ensure dev dependencies are also kept up to date.