Skip to content

feat(dependabot): auto-merge major GitHub Actions updates#137

Merged
don-petry merged 2 commits intomainfrom
claude/kind-dijkstra
Apr 16, 2026
Merged

feat(dependabot): auto-merge major GitHub Actions updates#137
don-petry merged 2 commits intomainfrom
claude/kind-dijkstra

Conversation

@don-petry
Copy link
Copy Markdown
Contributor

@don-petry don-petry commented Apr 16, 2026
edited by coderabbitai Bot
Loading

Summary

  • Auto-merge major version bumps for GitHub Actions (previously required manual review)
  • App ecosystem major updates still require human review (no change)
  • Updated eligibility logic in both the direct and reusable automerge workflows
  • Updated dependabot-policy.md to document the new behavior

Rationale: GitHub Actions are SHA-pinned and don't affect app runtime stability. gh pr merge --auto ensures CI must pass before merging, so breaking interface changes (e.g., renamed inputs) are caught automatically. This eliminates the manual review bottleneck for Action updates.

Changed files

File Change
.github/workflows/dependabot-automerge.yml Skip major-version gate when ecosystem is github-actions
.github/workflows/dependabot-automerge-reusable.yml Same logic change in reusable workflow
standards/dependabot-policy.md Document Actions vs app-ecosystem auto-merge distinction

Test plan

  • Verify existing patch/minor Action PRs still auto-merge (no regression)
  • Verify a major Action update PR (if one exists) gets auto-approved
  • Verify app ecosystem major updates are still blocked from auto-merge

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated Dependabot auto-merge policy: GitHub Actions updates now automatically merge for all version types, including major releases. Other ecosystem dependencies remain restricted to patch and minor updates, with major versions requiring manual review.

Copilot AI review requested due to automatic review settings April 16, 2026 01:42
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 16, 2026
edited
Loading

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 48 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 46 minutes and 48 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d6e31d03-2eed-4219-978a-aa747b1f3d7a

📥 Commits

Reviewing files that changed from the base of the PR and between e2a96da and 3069e05.

📒 Files selected for processing (3)
  • .github/workflows/dependabot-automerge-reusable.yml
  • .github/workflows/dependabot-automerge.yml
  • standards/dependabot-policy.md
📝 Walkthrough

Walkthrough

Modified Dependabot auto-merge eligibility to allow major version updates for GitHub Actions dependencies while restricting non-GitHub-Actions dependencies to patch and minor updates. Updated corresponding workflows and policy documentation to reflect the ecosystem-aware eligibility logic.

Changes

Cohort / File(s) Summary
Dependabot Auto-Merge Workflows
.github/workflows/dependabot-automerge-reusable.yml, .github/workflows/dependabot-automerge.yml		 Modified eligibility checks to exempt github-actions ecosystem from patch/minor/indirect restrictions, allowing major updates for GitHub Actions. Non-GitHub-Actions ecosystems remain restricted to patch/minor; major updates now explicitly noted as requiring human review via updated skip messages.
Policy Documentation
standards/dependabot-policy.md		 Updated auto-merge rules to document ecosystem-specific behavior: GitHub Actions eligible for all semver levels (including major), while app ecosystems limited to patch and minor updates with major changes requiring human review.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • PR #9 — Directly modifies the same Dependabot auto-merge eligibility logic and policy files with overlapping changes to workflow and documentation.
  • PR #15 — Updates the dependabot-automerge workflow eligibility logic for which update types are auto-merged, targeting the same workflow file.
  • PR #87 — Related to the dependabot-automerge reusable workflow modifications, modifying the same workflow infrastructure affected by these changes.
🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: enabling auto-merge for major GitHub Actions version updates, which is the core feature introduced across the workflows and documentation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/kind-dijkstra

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot previously approved these changes Apr 16, 2026
View reviewed changes
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Enables Dependabot auto-merge for major updates in the github-actions ecosystem (while keeping non-Actions major updates blocked for human review), and updates the Dependabot policy documentation to reflect the new eligibility rules.

Changes:

  • Updated eligibility gating in .github/workflows/dependabot-automerge.yml to allow all github-actions version bumps (including major).
  • Updated the same gating logic in .github/workflows/dependabot-automerge-reusable.yml.
  • Documented the Actions-vs-app-ecosystem auto-merge distinction in standards/dependabot-policy.md.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
standards/dependabot-policy.md Updates policy text to describe major auto-merge behavior for GitHub Actions.
.github/workflows/dependabot-automerge.yml Adjusts eligibility condition to bypass the major-version gate for github-actions.
.github/workflows/dependabot-automerge-reusable.yml Mirrors the eligibility change in the reusable workflow used org-wide.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread standards/dependabot-policy.md
@don-petry don-petry enabled auto-merge (squash) April 16, 2026 01:49
DJ and others added 2 commits April 15, 2026 18:55
@claude
feat(dependabot): auto-merge major GitHub Actions updates
573d30a 
GitHub Actions are SHA-pinned and don't affect app runtime, so major
version bumps carry minimal risk — CI catches any breaking interface
changes before the merge completes. This eliminates the manual review
bottleneck for Action updates while keeping major-update gating for
app ecosystem dependencies.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@claude
docs(dependabot-policy): add indirect dependencies to auto-merge summary
3069e05 
Address review comment: the policy summary omitted that indirect
(transitive) dependency updates are also auto-merge eligible regardless
of version bump, which is consistent with the workflow logic and the
Behavior section.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@don-petry don-petry force-pushed the claude/kind-dijkstra branch from ca09672 to 3069e05 Compare April 16, 2026 01:55
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 16, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@don-petry don-petry disabled auto-merge April 16, 2026 01:59
@don-petry don-petry merged commit 7a155df into main Apr 16, 2026
19 checks passed
@don-petry don-petry deleted the claude/kind-dijkstra branch April 16, 2026 02:00
@don-petry don-petry mentioned this pull request Apr 16, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@don-petry