From 26d279d10c2fae415bf012776fce94c91f43f79f Mon Sep 17 00:00:00 2001 From: Gabriel Zurita Date: Thu, 19 Dec 2024 15:52:15 -0700 Subject: [PATCH] feat: add Dependabot auto-merge workflow (#27) * feat: add Dependabot auto-merge workflow - Add GitHub workflow to automatically merge Dependabot PRs when checks pass - Add documentation about automated dependency updates to README - Configure workflow with necessary permissions for auto-merging - Use GitHub CLI to enable auto-merge functionality - Auto merges only on patch, or minor, not major bumps This change streamlines dependency management by automatically merging security and dependency updates from Dependabot when all CI checks pass. * feat(ci): make dependabot auto-merge wait for test workflow Updates the dependabot auto-merge workflow to explicitly wait for the test workflow to complete successfully before attempting to merge. This provides an additional safety check beyond branch protection rules and ensures dependencies are only merged after passing all tests. - Changes trigger from pull_request to workflow_run - Adds explicit check for workflow_run.conclusion == 'success' - References "Test Code" workflow as a prerequisite --- .github/workflows/dependabot-auto-merge.yml | 32 +++++++++++++++++++++ README.md | 6 ++++ 2 files changed, 38 insertions(+) create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..7ee3cc7 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,32 @@ +name: Dependabot Auto-Merge +on: + workflow_run: + workflows: ["Test Code"] # Name of the test-code.yml workflow + types: + - completed + branches: [ main ] + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot-auto-merge: + runs-on: ubuntu-latest + if: | + github.event.workflow_run.conclusion == 'success' && + github.actor == 'dependabot[bot]' + + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Enable auto-merge for Dependabot PRs + if: ${{steps.metadata.outputs.update-type != 'version-update:semver-major'}} + run: gh pr merge --auto --merge "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/README.md b/README.md index fa5edc8..680e902 100644 --- a/README.md +++ b/README.md @@ -161,3 +161,9 @@ poetry run python src/python_src/pull_api_documentation.py ## Repository History NOTE: this repository was split from [abd-vro](https://github.com/department-of-veterans-affairs/abd-vro/tree/develop/domain-ee/ee-max-cfi-app). + +## Automated Dependency Updates + +This repository uses Dependabot to keep dependencies up to date. Pull requests from Dependabot are automatically merged if: +- All checks pass +- The update is a minor or patch version change (major version updates require manual review)