Skip to content

ci: auto-merge Dependabot PRs after required checks pass#78

Merged
Prekzursil merged 1 commit into
mainfrom
ci/dependabot-auto-merge
Jun 30, 2026
Merged

ci: auto-merge Dependabot PRs after required checks pass#78
Prekzursil merged 1 commit into
mainfrom
ci/dependabot-auto-merge

Conversation

@Prekzursil

Copy link
Copy Markdown
Owner

Adds a minimal, safe dependabot-auto-merge.yml that enables GitHub native auto-merge (gh pr merge --auto --squash) for dependabot[bot] PRs.

Safety:

  • Only enables auto-merge; the actual merge is still gated by the branch ruleset required status checks (quality / quality, build-test, codeql / CodeQL, dependency-review) with strict up-to-date policy. Nothing merges while a required check is pending or red.
  • Scoped to the dependabot[bot] actor.
  • Only patch/minor bumps reach here (majors are ignored in dependabot.yml).

Keeps the repo green automatically going forward.

@Prekzursil Prekzursil enabled auto-merge (squash) June 30, 2026 04:50
Comment on lines +17 to +27

jobs:
auto-merge:
if: ${{ github.actor == 'dependabot[bot]' }}
runs-on: ubuntu-latest
steps:
- name: Enable auto-merge (squash)
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The pull_request_target trigger, when used with Dependabot, likely provides a read-only token, which will cause the gh pr merge command to fail due to insufficient permissions.
Severity: HIGH

Suggested Fix

Change the workflow trigger from pull_request_target to pull_request. The permissions block is already correctly configured to grant the necessary write access for this trigger type. This aligns with GitHub's recommended practice for Dependabot workflows that need to perform write operations and matches the pattern used by other workflows in this repository.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/dependabot-auto-merge.yml#L12-L27

Potential issue: The workflow is configured to run on `pull_request_target` events.
According to GitHub's security model, workflows triggered by Dependabot on this event
often receive a read-only `GITHUB_TOKEN` to prevent potential security exploits from
compromised dependencies. Although the workflow explicitly requests `contents: write`
and `pull-requests: write` permissions, these may be overridden by the read-only token
restriction. As a result, the `gh pr merge --auto --squash "$PR_URL"` command is likely
to fail with a permission denied error, preventing Dependabot pull requests from being
auto-merged.

Did we get this right? 👍 / 👎 to inform future reviews.

@Prekzursil Prekzursil merged commit ec38190 into main Jun 30, 2026
9 checks passed
@Prekzursil Prekzursil deleted the ci/dependabot-auto-merge branch June 30, 2026 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant