feat: add Dependabot auto-merge workflow (#27)

* feat: add Dependabot auto-merge workflow - Add GitHub workflow to automatically merge Dependabot PRs when checks pass - Add documentation about automated dependency updates to README - Configure workflow with necessary permissions for auto-merging - Use GitHub CLI to enable auto-merge functionality - Auto merges only on patch, or minor, not major bumps This change streamlines dependency management by automatically merging security and dependency updates from Dependabot when all CI checks pass. * feat(ci): make dependabot auto-merge wait for test workflow Updates the dependabot auto-merge workflow to explicitly wait for the test workflow to complete successfully before attempting to merge. This provides an additional safety check beyond branch protection rules and ensures dependencies are only merged after passing all tests. - Changes trigger from pull_request to workflow_run - Adds explicit check for workflow_run.conclusion == 'success' - References "Test Code" workflow as a prerequisite
department-of-veterans-affairs · Dec 19, 2024 · 26d279d · 26d279d
1 parent 886a412
commit 26d279d
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,32 @@
+name: Dependabot Auto-Merge
+on:
+  workflow_run:
+    workflows: ["Test Code"]  # Name of the test-code.yml workflow
+    types:
+      - completed
+    branches: [ main ]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot-auto-merge:
+    runs-on: ubuntu-latest
+    if: |
+      github.event.workflow_run.conclusion == 'success' &&
+      github.actor == 'dependabot[bot]'
+
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Enable auto-merge for Dependabot PRs
+        if: ${{steps.metadata.outputs.update-type != 'version-update:semver-major'}}
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/README.md b/README.md
@@ -161,3 +161,9 @@ poetry run python src/python_src/pull_api_documentation.py
 ## Repository History
 
 NOTE: this repository was split from [abd-vro](https://github.com/department-of-veterans-affairs/abd-vro/tree/develop/domain-ee/ee-max-cfi-app).
+
+## Automated Dependency Updates
+
+This repository uses Dependabot to keep dependencies up to date. Pull requests from Dependabot are automatically merged if:
+- All checks pass
+- The update is a minor or patch version change (major version updates require manual review)