From c0d617f3f02edffc8f12982b6c1b2c0310e81e87 Mon Sep 17 00:00:00 2001 From: TimeToBuildBob <223556219+Copilot@users.noreply.github.com> Date: Wed, 1 Jul 2026 07:15:06 +0000 Subject: [PATCH 1/3] fix(ci): restore dependabot automerge workflow Replace the stale PAT-based merge-me action with native GitHub auto-merge enablement on successful Dependabot PR builds. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/dependabot-automerge.yml | 54 ++++++++++++++++++---- 1 file changed, 44 insertions(+), 10 deletions(-) diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 17a0c516..830c65fc 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -1,11 +1,5 @@ name: Dependabot Auto-merge -# NOTE: `merge-me-action` still needs the bot PAT here. -# Using `secrets.GITHUB_TOKEN` fails on `workflow_run` with -# "Resource not accessible by integration" when the action queries -# branch protection rules over GraphQL. -# See: https://github.com/ridedott/merge-me-action/issues/1581 - on: workflow_run: types: @@ -14,16 +8,56 @@ on: # List all required workflow names here. - Build +permissions: + contents: write + pull-requests: write + jobs: auto_merge: - name: Auto-merge + name: Enable auto-merge runs-on: ubuntu-latest if: >- github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request' && - github.actor == 'dependabot[bot]' + github.event.workflow_run.actor.login == 'dependabot[bot]' && + github.event.workflow_run.pull_requests[0].number steps: - - uses: ridedott/merge-me-action@bb09d7d3c3504d3837816cc4eb821e663dc7ffde + - name: Enable GitHub auto-merge for the triggering PR + uses: actions/github-script@v8 with: - GITHUB_TOKEN: ${{ secrets.AWBOT_GH_TOKEN }} + script: | + const prNumber = context.payload.workflow_run.pull_requests[0].number; + + const { data: pr } = await github.rest.pulls.get({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: prNumber, + }); + + if (pr.user.login !== 'dependabot[bot]' || pr.state !== 'open' || pr.draft) { + core.info('PR is not an open Dependabot PR. Skipping.'); + return; + } + + if (pr.auto_merge) { + core.info('Auto-merge is already enabled.'); + return; + } + + await github.graphql( + `mutation($pullRequestId: ID!, $mergeMethod: PullRequestMergeMethod!) { + enablePullRequestAutoMerge(input: { + pullRequestId: $pullRequestId, + mergeMethod: $mergeMethod + }) { + clientMutationId + } + }`, + { + pullRequestId: pr.node_id, + mergeMethod: 'SQUASH', + } + ); + + core.info(`Enabled auto-merge for PR #${prNumber}.`); From a052d938a77faf356b614a24773699229484abbd Mon Sep 17 00:00:00 2001 From: Bob Date: Wed, 1 Jul 2026 07:19:40 +0000 Subject: [PATCH 2/3] fix(ci): guard dependabot automerge against missing pull_requests Add an in-script null guard for context.payload.workflow_run.pull_requests before indexing [0].number, mirroring the job-level expression. Addresses Greptile 4/5 review feedback on aw-webui#889. Co-authored-by: Bob --- .github/workflows/dependabot-automerge.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 830c65fc..04fbee06 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -27,7 +27,12 @@ jobs: uses: actions/github-script@v8 with: script: | - const prNumber = context.payload.workflow_run.pull_requests[0].number; + const triggeredPullRequests = context.payload.workflow_run.pull_requests; + if (!triggeredPullRequests || triggeredPullRequests.length === 0) { + core.info('No associated pull request on the triggering workflow run. Skipping.'); + return; + } + const prNumber = triggeredPullRequests[0].number; const { data: pr } = await github.rest.pulls.get({ owner: context.repo.owner, From b9fa4369ba82b7caeb120610954fc8d610b5e4c9 Mon Sep 17 00:00:00 2001 From: Bob Date: Thu, 2 Jul 2026 22:11:19 +0000 Subject: [PATCH 3/3] fix(ci): pin actions/github-script to commit SHA instead of mutable v8 tag --- .github/workflows/dependabot-automerge.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 04fbee06..f0f125b1 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Enable GitHub auto-merge for the triggering PR - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const triggeredPullRequests = context.payload.workflow_run.pull_requests;