Skip to content
Dependabot auto-merge safe updates

Dependabot auto-merge safe updates #147

Sign in to view logs

Dependabot auto-merge safe updates

Dependabot auto-merge safe updates #147

Workflow file for this run

.github/workflows/dependabot-auto-merge.yml at 49f654e
# Enables auto-merge on Dependabot PRs only after "Continuous integration" succeeds.
# fetch-metadata does not support workflow_run; policy is enforced via dependabot.yml + CI.
# Do not add this workflow as a required check (would deadlock with wait strategies).
name: Dependabot auto-merge safe updates
on:
workflow_run:
workflows: ['Continuous integration']
types: [completed]
workflow_dispatch:
permissions:
contents: write
pull-requests: write
issues: write
jobs:
dependabot-auto-merge-after-ci:
runs-on: ubuntu-latest
# Only when the main CI workflow finished successfully for a PR from this repo
if: |
github.event_name == 'workflow_run' &&
github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.head_repository.full_name == github.repository
steps:
- name: Resolve PR and enable auto-merge for Dependabot
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
run: |
set -euo pipefail
REPO="${{ github.repository }}"
PR_JSON=$(gh api "repos/${REPO}/commits/${HEAD_SHA}/pulls" --jq '.[0]')
if [ "$PR_JSON" = "null" ] || [ -z "$PR_JSON" ]; then
echo "No open PR for this commit; skipping."
exit 0
fi
PR=$(echo "$PR_JSON" | jq -r '.number')
AUTHOR=$(gh pr view "$PR" --repo "$REPO" --json author --jq '.author.login')
# gh may report Dependabot as dependabot[bot] or app/dependabot (GitHub App slug).
case "$AUTHOR" in
'dependabot[bot]'|'app/dependabot') ;;
*)
echo "PR #$PR is not from Dependabot ($AUTHOR); skipping."
exit 0
;;
esac
echo "Dependabot PR #$PR: enabling auto-merge (merge when all required checks pass)."
MERGE_ERR=$(mktemp)
if gh pr merge "$PR" --repo "$REPO" --auto --squash 2>"$MERGE_ERR"; then
if ! gh api "repos/${REPO}/issues/${PR}/comments" --jq '.[].body' | grep -q '<!-- sortvision-dependabot-auto-merge -->'; then
gh pr comment "$PR" --repo "$REPO" --body "$(printf '%s\n' \
'### Dependabot auto-merge' \
'' \
'**Auto-merge** is enabled (squash). GitHub will merge this PR once **all required checks and reviews** pass.' \
'' \
'<!-- sortvision-dependabot-auto-merge -->')"
else
echo "Skipping success comment (already posted on this PR)."
fi
else
COMMENT_BODY=$(mktemp)
{
printf '%s\n\n' '### Dependabot auto-merge'
printf '%s\n\n' 'Could not enable **auto-merge** after **Continuous integration** succeeded.'
printf '%s\n\n' '**Common causes:** auto-merge disabled in repo settings, branch protection (reviews / code owners), merge queue rules, or token permissions.'
printf '%s\n' '**CLI output:**'
printf '%s\n' '```'
head -c 6000 "$MERGE_ERR"
printf '\n%s\n\n' '```'
printf '%s\n' '<!-- sortvision-dependabot-auto-merge-error -->'
} >"$COMMENT_BODY"
gh pr comment "$PR" --repo "$REPO" --body-file "$COMMENT_BODY"
rm -f "$COMMENT_BODY"
echo "::warning::Could not enable auto-merge; posted details in a PR comment."
rm -f "$MERGE_ERR"
exit 0
fi
rm -f "$MERGE_ERR"
dependabot-auto-merge-manual:
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Enable auto-merge for all open Dependabot PRs
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
PRS=$(gh pr list --app dependabot --state open --json number --jq 'sort_by(.number) | .[].number')
if [ -z "$PRS" ]; then
echo "No open Dependabot PRs found."
exit 0
fi
echo "Found Dependabot PRs:"
echo "$PRS"
for PR in $PRS; do
echo ""
echo "Enabling auto-merge for PR #$PR..."
if ! gh pr merge "$PR" --auto --squash; then
echo "Failed for PR #$PR (checks may still be running or branch rules not satisfied)."
continue
fi
echo "Auto-merge requested for PR #$PR"
done