|
| 1 | +# Dependabot Auto-Approve and Auto-Merge |
| 2 | + |
| 3 | +This repository has automated approval and merging configured for Dependabot pull requests. |
| 4 | + |
| 5 | +## How It Works |
| 6 | + |
| 7 | +When Dependabot creates a pull request for dependency updates: |
| 8 | + |
| 9 | +1. The workflow `.github/workflows/dependabot-auto-merge.yml` automatically triggers |
| 10 | +2. The PR is automatically approved |
| 11 | +3. Auto-merge is enabled with the squash merge strategy |
| 12 | +4. Once all required status checks pass, the PR automatically merges |
| 13 | +5. If any check fails, the PR remains open for manual review |
| 14 | + |
| 15 | +## Required Checks |
| 16 | + |
| 17 | +Before a Dependabot PR can be auto-merged, all configured CI checks must pass: |
| 18 | + |
| 19 | +- **Backend API** - Build and lint checks for the API layer |
| 20 | +- **Backend Data** - Build and lint checks for the data layer |
| 21 | +- **Backend Library** - Build and lint checks for the library/domain layer |
| 22 | +- **Frontend** - Build, lint, and TypeScript compilation checks |
| 23 | + |
| 24 | +## Security |
| 25 | + |
| 26 | +The workflow uses `pull_request_target` event type which: |
| 27 | +- Runs in the context of the base repository |
| 28 | +- Has access to repository secrets |
| 29 | +- Only executes for PRs created by `dependabot[bot]` |
| 30 | + |
| 31 | +## Permissions |
| 32 | + |
| 33 | +The workflow requires: |
| 34 | +- `pull-requests: write` - To approve PRs |
| 35 | +- `contents: write` - To enable auto-merge |
| 36 | + |
| 37 | +## Configuration |
| 38 | + |
| 39 | +### Merge Strategy |
| 40 | + |
| 41 | +Currently configured to use **squash merge**. To change this, edit `.github/workflows/dependabot-auto-merge.yml`: |
| 42 | + |
| 43 | +```yaml |
| 44 | +# Options: --merge, --squash, --rebase |
| 45 | +run: gh pr merge --auto --squash "$PR_URL" |
| 46 | +``` |
| 47 | +
|
| 48 | +### Disable Auto-Merge |
| 49 | +
|
| 50 | +To disable auto-merge for specific types of updates, you can: |
| 51 | +
|
| 52 | +1. **Temporarily disable**: Delete or rename the workflow file |
| 53 | +2. **Selective disable**: Add conditions to the workflow's `if` clause |
| 54 | +3. **Per-ecosystem**: Add the condition based on Dependabot metadata |
| 55 | + |
| 56 | +Example - only auto-merge patch updates: |
| 57 | + |
| 58 | +```yaml |
| 59 | +- name: Enable auto-merge for patch updates only |
| 60 | + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' |
| 61 | + run: gh pr merge --auto --squash "$PR_URL" |
| 62 | +``` |
| 63 | + |
| 64 | +## Branch Protection |
| 65 | + |
| 66 | +For auto-merge to work properly, ensure your repository settings allow: |
| 67 | + |
| 68 | +1. **Auto-merge**: Must be enabled in repository settings |
| 69 | +2. **Required status checks**: Configure which checks must pass before merging |
| 70 | +3. **Require approvals**: Can be configured but workflow provides automatic approval |
| 71 | + |
| 72 | +## Troubleshooting |
| 73 | + |
| 74 | +### Auto-merge doesn't trigger |
| 75 | +- Check that auto-merge is enabled in repository settings |
| 76 | +- Verify branch protection rules allow auto-merge |
| 77 | +- Ensure the workflow has proper permissions |
| 78 | + |
| 79 | +### PR doesn't merge after checks pass |
| 80 | +- Check if all required status checks are configured correctly |
| 81 | +- Look for failing checks in the PR status section |
| 82 | +- Verify merge conflicts don't exist |
| 83 | + |
| 84 | +### Workflow doesn't run |
| 85 | +- Confirm the PR is created by `dependabot[bot]` |
| 86 | +- Check workflow permissions in repository settings |
| 87 | +- Review workflow run logs in the Actions tab |
| 88 | + |
| 89 | +## Related Files |
| 90 | + |
| 91 | +- `.github/workflows/dependabot-auto-merge.yml` - Main workflow file |
| 92 | +- `.github/dependabot.yml` - Dependabot configuration |
| 93 | +- `.github/workflows/backend-*.yml` - Backend CI checks |
| 94 | +- `.github/workflows/frontend.yml` - Frontend CI checks |
0 commit comments