Skip to content

Commit 22563ce

Browse files
Merge branch 'main' into ci/integ-test-previous-version
2 parents fcadf91 + 38425ec commit 22563ce

1 file changed

Lines changed: 68 additions & 0 deletions

File tree

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
# .github/workflows/dependabot-auto-merge.yml
2+
#
3+
# Automatically enables auto-merge on Dependabot PRs for minor and patch
4+
# version bumps. GitHub holds the actual merge until all required status
5+
# checks in the 'main-status-checks' Ruleset pass.
6+
#
7+
# Major version bumps are explicitly skipped and require human review
8+
# from the aws/bedrock-agentcore-maintainers team.
9+
#
10+
# PREREQUISITES (already completed):
11+
# ✅ Ruleset 'main-status-checks' — CI must pass, no bypass for anyone
12+
# ✅ Ruleset 'main' — approval requirement, Dependabot bypass added
13+
# ✅ Settings → General → Allow auto-merge enabled
14+
15+
name: Dependabot Auto-merge
16+
17+
on:
18+
pull_request:
19+
types: [opened, synchronize, reopened, ready_for_review]
20+
21+
permissions:
22+
contents: write # required to execute the squash merge
23+
pull-requests: write # required to enable auto-merge
24+
25+
jobs:
26+
dependabot-auto-merge:
27+
name: Auto-merge minor/patch PRs
28+
runs-on: ubuntu-latest
29+
30+
# Only act on PRs opened by the Dependabot bot.
31+
# The correct login is 'dependabot[bot]' — the bare string 'dependabot'
32+
# never matches and would silently skip all runs.
33+
if: github.actor == 'dependabot[bot]'
34+
35+
steps:
36+
- name: Fetch Dependabot metadata
37+
id: metadata
38+
uses: dependabot/fetch-metadata@v2
39+
with:
40+
github-token: ${{ secrets.GITHUB_TOKEN }}
41+
42+
# patch and minor bumps: enable auto-merge.
43+
# GitHub holds the merge until all required status checks pass.
44+
# If CI fails the PR stays open — no merge happens.
45+
- name: Enable auto-merge for minor/patch bumps
46+
if: |
47+
steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
48+
steps.metadata.outputs.update-type == 'version-update:semver-minor'
49+
env:
50+
PR_URL: ${{ github.event.pull_request.html_url }}
51+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
52+
run: |
53+
gh pr merge --auto --squash "$PR_URL"
54+
echo "✓ Auto-merge enabled: ${{ steps.metadata.outputs.dependency-names }} \
55+
(${{ steps.metadata.outputs.previous-version }} → \
56+
${{ steps.metadata.outputs.new-version }}, \
57+
${{ steps.metadata.outputs.update-type }})"
58+
59+
# major bumps: log clearly and do nothing.
60+
# The PR stays open and is assigned to aws/bedrock-agentcore-maintainers
61+
# via dependabot.yml for human review.
62+
- name: Skip major bumps — human review required
63+
if: steps.metadata.outputs.update-type == 'version-update:semver-major'
64+
run: |
65+
echo "⏭ Skipped: ${{ steps.metadata.outputs.dependency-names }} \
66+
is a major bump (${{ steps.metadata.outputs.previous-version }} → \
67+
${{ steps.metadata.outputs.new-version }}). \
68+
Requires review from aws/bedrock-agentcore-maintainers."

0 commit comments

Comments
 (0)