ci: switch auto-merge to --auto and resolve AI reviewer threads

[don-petry]

Summary

• Replaces gh pr merge --admin with gh pr merge --auto to fix the race condition where the merge fires before CI checks complete
• Adds a step to resolve all review threads (from Copilot, CodeRabbit, etc.) before queuing auto-merge
• Required because the new pr-quality ruleset enforces required_review_thread_resolution

Test plan

• Verify next Dependabot patch/minor PR gets auto-merged after checks pass
• Verify review threads from AI reviewers are resolved before merge

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced automation for managing dependency updates with improved security configurations and streamlined review processes.

[coderabbitai]

📝 Walkthrough

Walkthrough

The GitHub Actions workflow for Dependabot auto-merge has been modified to reduce permissions from write to read for contents and pull-requests, and the auto-merge step now includes a GraphQL-based script to resolve unresolved review threads before performing the squash merge with auto-queue.

Changes

Cohort / File(s)	Summary
Dependabot Auto-merge Workflow .github/workflows/dependabot-automerge.yml	Permissions reduced from write to read for contents and pull-requests. Auto-merge step expanded to include PR approval, GraphQL query to fetch and resolve unresolved review threads, and queued squash merge. New environment variables added for GraphQL operations (GITHUB_TOKEN, PR_NUMBER, REPO_OWNER, REPO_NAME).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main changes: switching from admin merge to auto-merge and resolving AI reviewer threads, which are the primary objectives of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/auto-merge-resolve-threads

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/dependabot-automerge.yml (2)

57-64: Consider adding basic error handling for thread resolution.

The --silent flag suppresses output, but if a thread resolution fails (e.g., due to permissions or a thread being deleted), the merge will proceed regardless. Depending on your branch protection rules, this could cause the merge to fail later.

🛡️ Proposed: Add error logging without failing the workflow

           for THREAD_ID in $THREADS; do
-            gh api graphql -f query='
+            if ! gh api graphql -f query='
               mutation($id: ID!) {
                 resolveReviewThread(input: {threadId: $id}) {
                   thread { isResolved }
                 }
-              }' -f id="$THREAD_ID" --silent
+              }' -f id="$THREAD_ID" --silent; then
+              echo "::warning::Failed to resolve thread $THREAD_ID"
+            fi
           done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependabot-automerge.yml around lines 57 - 64, The
thread-resolution loop uses the gh api graphql call with --silent and doesn't
check its result; update the loop that iterates over THREAD_ID to capture the gh
api response and exit status for the resolveReviewThread mutation, log a clear
warning including the THREAD_ID and any returned error message when the call
fails (e.g., permission denied or thread not found), and continue without
exiting non‑zero so the workflow doesn't abort; reference the existing THREAD_ID
variable and the resolveReviewThread graphql mutation when implementing the
check and log.

---

45-55: Pagination limit may miss threads in edge cases.

The first: 100 limit is likely sufficient for typical Dependabot PRs, but if a PR accumulates more than 100 review threads, some will remain unresolved.

♻️ Optional: Add pagination handling

If robustness is desired, consider adding cursor-based pagination or at minimum logging a warning when 100 threads are returned:

-          THREADS=$(gh api graphql -f query='
+          RESPONSE=$(gh api graphql -f query='
             query($owner: String!, $repo: String!, $pr: Int!) {
               repository(owner: $owner, name: $repo) {
                 pullRequest(number: $pr) {
                   reviewThreads(first: 100) {
                     nodes { id isResolved }
+                    pageInfo { hasNextPage }
                   }
                 }
               }
-            }' -f owner="$REPO_OWNER" -f repo="$REPO_NAME" -F pr="$PR_NUMBER" \
-            --jq '.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false) | .id')
+            }' -f owner="$REPO_OWNER" -f repo="$REPO_NAME" -F pr="$PR_NUMBER")
+
+          if echo "$RESPONSE" | jq -e '.data.repository.pullRequest.reviewThreads.pageInfo.hasNextPage' | grep -q true; then
+            echo "::warning::More than 100 review threads exist; some may not be resolved"
+          fi
+
+          THREADS=$(echo "$RESPONSE" | jq -r '.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false) | .id')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependabot-automerge.yml around lines 45 - 55, The GraphQL
query used to populate THREADS uses a fixed page size reviewThreads(first: 100)
which can miss threads if a PR has >100 review threads; update the logic that
builds THREADS to handle pagination (use reviewThreads with cursors and after,
or loop requests until pageInfo.hasNextPage is false) or at minimum detect when
exactly 100 nodes are returned and log a warning; adjust the gh api graphql
calls that assign THREADS so they iterate with the cursor from
pageInfo.endCursor (or re-run queries) until all nodes are fetched, ensuring all
unresolved thread ids are collected.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 44-67: The current sequence resolves existing review threads
(THREADS / THREAD_ID) then immediately queues the merge with gh pr merge
--squash --auto, which can race with AI reviewers creating new threads; after
the block that resolves THREADS and before calling gh pr merge --squash --auto
"$PR_URL", re-query the same GraphQL reviewThreads query to detect any
newly-unresolved threads and either (a) resolve them in the same loop (repeating
until the query returns none) or (b) fail/exit the workflow so it can be re-run
later; implement a small backoff/sleep between iterations to avoid tight loops
and ensure you reference the existing THREADS/THREAD_ID logic when adding the
retry/check step.

---

Nitpick comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 57-64: The thread-resolution loop uses the gh api graphql call
with --silent and doesn't check its result; update the loop that iterates over
THREAD_ID to capture the gh api response and exit status for the
resolveReviewThread mutation, log a clear warning including the THREAD_ID and
any returned error message when the call fails (e.g., permission denied or
thread not found), and continue without exiting non‑zero so the workflow doesn't
abort; reference the existing THREAD_ID variable and the resolveReviewThread
graphql mutation when implementing the check and log.
- Around line 45-55: The GraphQL query used to populate THREADS uses a fixed
page size reviewThreads(first: 100) which can miss threads if a PR has >100
review threads; update the logic that builds THREADS to handle pagination (use
reviewThreads with cursors and after, or loop requests until
pageInfo.hasNextPage is false) or at minimum detect when exactly 100 nodes are
returned and log a warning; adjust the gh api graphql calls that assign THREADS
so they iterate with the cursor from pageInfo.endCursor (or re-run queries)
until all nodes are fetched, ensuring all unresolved thread ids are collected.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dff856f8-da79-4de0-a20c-cd39a4970649

📥 Commits

Reviewing files that changed from the base of the PR and between e9d9afd and a3817f8.

📒 Files selected for processing (1)

• .github/workflows/dependabot-automerge.yml

[Copilot]

Pull request overview

Updates the Dependabot auto-merge workflow to avoid merging before required CI checks finish and to satisfy the repo ruleset requirement that review threads be resolved before merging.

Changes:

• Switches from gh pr merge --admin to gh pr merge --auto so merges wait for required checks.
• Adds a GraphQL-driven step to resolve review threads before enabling auto-merge.
• Adjusts job-level permissions and refactors the merge step to include PR/repo context env vars.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.