feat: Add Dependabot auto-merge workflow#425
feat: Add Dependabot auto-merge workflow#425Marenz wants to merge 1 commit intofrequenz-floss:v0.x.xfrom
Conversation
github-actions
bot
added
the
part:tooling
There was a problem hiding this comment.
Pull Request Overview
Adds a workflow to automatically approve and merge Dependabot pull requests.
- Introduces a GitHub Actions workflow gated to Dependabot actor.
- Configures auto-approval, labeling, and merge behavior for all dependency types.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| @@ -0,0 +1,18 @@ | |||
| name: Dependabot Auto Manage | |||
| on: pull_request | |||
There was a problem hiding this comment.
[nitpick] Using on: pull_request without restricting event types causes the workflow to be evaluated for every pull request (then skipped via the if condition), creating unnecessary workflow invocations. Restrict with types: [opened, synchronize, reopened] or use pull_request_target if appropriate.
| on: pull_request | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] |
| steps: | ||
| - uses: ad/dependabot-auto-approve@v1 | ||
| with: | ||
| dependency-type: 'all' |
There was a problem hiding this comment.
[nitpick] Auto-merging all dependency types increases risk of merging breaking major updates or dev-only changes without review. Consider narrowing to 'production' or adding a versioning strategy (e.g., limiting to patch/minor) to reduce disruption.
| dependency-type: 'all' | |
| dependency-type: 'production' |
Marenz
force-pushed
the
add-dependabot-workflow
branch
2 times, most recently
from
e063e9b to
d455da6
Compare
llucax
left a comment
llucax
left a comment
There was a problem hiding this comment.
I like it, but this is probably not the best repository to add this to, because grpc/protobuf updates need manual intervention.
So I would add this as is to some other, non-API, repo first, and after this one is working, we can consider doing one or more of these:
- Add a feature to the auto-merge action to only auto-approve PRs that matches some regex (so we can exclude the
protobuf/grpcstuff) - Add some step/workflow to automatically fix the
protobuf/grpcupdates. - Disable
protobuf/grpcupdates and find another way to update those, normally we should probably only change these dependencies for major updates, there is not harm in supporting older versions, except maybe for patch updates, maybe for those we really want to re-generate the python files. But is something that needs more thought.
llucax
left a comment
llucax
left a comment
There was a problem hiding this comment.
Marking as needs changes to avoid accidental merges, as merging this will be problematic if protobuf/grpc bumps are automatically merged.
Signed-off-by: Mathias L. Baumann <mathias.baumann@frequenz.com>
Marenz
force-pushed
the
add-dependabot-workflow
branch
from
d455da6 to
7e59a1d
Compare
2 participants
This PR adds a GitHub workflow to automatically manage Dependabot pull requests.
This workflow uses the
ad/dependabot-auto-approve@v1GitHub Action, which may need to be explicitly whitelisted in the organization's settings.