ci: trigger release after Dependabot Automerge

JohnMcLear · claude · JohnMcLear · commit f67e0fe43fad · 2026-05-02T19:55:21.000+01:00
GitHub Actions doesn't fire `on: push` workflows when the push is
authenticated with GITHUB_TOKEN (intentional, to avoid recursive
workflow loops). pascalgn/automerge-action only has GITHUB_TOKEN, so
when it merges a Dependabot PR to default branch the resulting push
doesn't trigger Node.js Package and the version-bump + npm-publish job
never runs. Result: every Dependabot bump leaves an unreleased commit
on default branch, the published npm version drifts behind, and the
only way to ship is a human re-merge.

Two coupled changes:

  - automerge.yml grows `actions: write` and a final step that calls
    `gh workflow run test-and-release.yml --ref &lt;default-branch&gt;`.
    Gated on automerge-action's `mergeResult == 'merged'` so it
    doesn't fire when nothing actually merged.

  - test-and-release.yml grows a `workflow_dispatch:` trigger so the
    above invocation has something to dispatch. Existing on:push is
    preserved unchanged.

Mirrors ep_announce#114 (already merged and verified end-to-end).

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -2,6 +2,12 @@ name: Dependabot Automerge
 permissions:
   contents: write
   pull-requests: write
+  # `actions: write` lets the post-merge step kick off Node.js Package on
+  # the default branch via `gh workflow run`. Without this, automerge'd
+  # PRs land on main but the on-push release job never fires (GitHub
+  # Actions intentionally suppresses on:push triggers when the push is
+  # authenticated with GITHUB_TOKEN).
+  actions: write
 on:
   workflow_run:
     workflows:
@@ -21,10 +27,19 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Automerge
+        id: automerge
         uses: "pascalgn/automerge-action@v0.16.4"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           MERGE_METHOD: squash
           MERGE_LABELS: ""
           MERGE_RETRY_SLEEP: "100000"
 
+      - name: Trigger release on default branch
+        # `pascalgn/automerge-action` exits 0 whether or not it merged. Skip
+        # the dispatch when nothing was actually merged so we don't kick a
+        # phantom release run on every Dependabot Automerge invocation.
+        if: steps.automerge.outputs.mergeResult == 'merged'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh workflow run test-and-release.yml --ref ${{ github.event.repository.default_branch }}
diff --git a/.github/workflows/test-and-release.yml b/.github/workflows/test-and-release.yml
@@ -1,5 +1,11 @@
 name: Node.js Package
-on: [push]
+on:
+  push:
+  # Invoked by automerge.yml after a Dependabot PR is merged. GitHub
+  # Actions doesn't fire on:push when the push is authored by GITHUB_TOKEN
+  # (the automerge action's only available identity), so without this
+  # dispatch trigger the release job never runs after auto-merges.
+  workflow_dispatch:
 
 # id-token: write must be granted here so the reusable npmpublish workflow
 # can request an OIDC token for npm trusted publishing.
