Skip to content

ci(dependabot): group updates and auto-merge minor/patch bumps#430

Open
macalbert wants to merge 5 commits into
mainfrom
ci/dependabot-grouping-automerge
Open

ci(dependabot): group updates and auto-merge minor/patch bumps#430
macalbert wants to merge 5 commits into
mainfrom
ci/dependabot-grouping-automerge

Conversation

@macalbert

@macalbert macalbert commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Pull Request

What does this PR do?

Reduces Dependabot PR noise and lockfile/format conflicts caused by many
small updates sitting open at once, and makes CI safe to require for
auto-merge:

  • .github/dependabot.yml: adds groups: (aws-sdk/azure-sdk, each
    scoped to update-types: [minor, patch] so major bumps stay
    ungrouped, + dev-minor-patch/prod-minor-patch) to every ecosystem
    block (npm root, npm Node.js SDK, nuget, gomod, maven, pip,
    github-actions), switches schedule.interval from daily to
    weekly (Monday), and adds open-pull-requests-limit: 5.
  • .github/workflows/dependabot-automerge.yml (new): enables GitHub
    auto-merge (squash) on Dependabot PRs via dependabot/fetch-metadata@v2,
    gated on update-type != version-update:semver-major. Uses
    pull_request_target (Dependabot PRs get a read-only GITHUB_TOKEN
    on plain pull_request) and gates on the PR author, not github.actor.
    Excludes dependabot/go_modules/ and dependabot/maven/ branches:
    there is no CI workflow for the Go or Java SDKs yet, so there would be
    nothing to wait for.
  • tests.yml, tests-website.yml, tests-dotnet-sdk.yml,
    tests-nodejs-sdk.yml, tests-python-sdk.yml: moved the paths:
    filter out of on.pull_request into a new changes job
    (dorny/paths-filter), with the real test job gated by
    needs: changes + a job-level if:. A required check gated by a
    workflow-level paths: filter never posts a status when skipped and
    blocks merging forever (confirmed in GitHub's own docs); a job-level
    if: skip reports "success" instead, so these checks can now be
    safely marked required in branch protection. workflow_dispatch runs
    always execute regardless of the path filter.

No dependencies or lockfiles were touched by hand.

Related issues

N/A

Type of change

  • Feature
  • Bugfix
  • Refactor
  • Documentation
  • Other (CI/dependency-management config)

Checklist

  • Tests added/updated (if needed)
  • Docs updated (if needed)
  • Lint/format pass (pnpm lint and secretlint on changed files)

Notes for reviewer

This PR alone is not enough for auto-merge to be safe. Two manual one-time
repo settings still need to be enabled (checked via gh api, currently both
missing):

  1. Settings > General > Pull Requests > Allow auto-merge (currently
    allow_auto_merge: false).
  2. Branch protection on main with required status checks: mark
    powerup-test, test-dotnet-sdk, test-nodejs-sdk,
    test-python-sdk, and website-ci as required (currently
    required_status_checks.checks: [], i.e. none required). These jobs
    are now safe to require because of the changes-job refactor above.

Known gap: gomod/maven Dependabot PRs have no CI to require yet
(no Go/Java SDK test workflow exists), so the auto-merge workflow
explicitly excludes those two ecosystems until CI is added for them.

Group AWS/Azure SDK and dev/prod minor+patch updates into single PRs
per ecosystem (npm, nuget, gomod, maven, pip, github-actions), switch
schedule from daily to weekly (Monday), and cap open PRs at 5. This
cuts lockfile/format conflicts caused by many small Dependabot PRs
sitting open at once. Major version bumps still open as separate PRs
for manual review.

Add a workflow that enables GitHub auto-merge (squash) on Dependabot
PRs when the bump is not a semver-major update, so minor/patch bumps
merge unattended once required checks pass.

Requires two manual one-time repo settings to take effect safely:
"Allow auto-merge" in Settings > General, and a branch protection rule
on main with required status checks (currently none are required).
Copilot AI review requested due to automatic review settings July 13, 2026 09:25
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Ignore keyword(s) in the title.

⛔ Ignored keywords (3)
  • wip
  • draft
  • dependabot

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fe114893-3523-497e-977f-5b2ad4df2e27

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/dependabot-grouping-automerge

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added github-actions Updates to GitHub Actions / CI workflows size/M Medium change — 50-199 lines / 5-9 files labels Jul 13, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Dependabot configuration by changing the update interval from daily to weekly and introducing dependency grouping across various ecosystems to streamline updates. The review feedback points out a missing azure-sdk group configuration in the root npm ecosystem, which should be added for consistency with the other SDK configurations.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread .github/dependabot.yml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces dependency-update noise by grouping Dependabot updates and adding an Actions workflow to enable auto-merge for Dependabot minor/patch PRs.

Changes:

  • Adjust Dependabot schedules from daily to weekly, cap open PRs, and introduce grouping across ecosystems.
  • Add a workflow to enable GitHub auto-merge (squash) for Dependabot PRs that are not semver-major updates.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

File Description
.github/workflows/dependabot-automerge.yml New workflow to enable auto-merge on Dependabot PRs (excluding semver-major).
.github/dependabot.yml Grouping + weekly schedules + PR limit configuration to reduce PR noise and conflicts.

Comment thread .github/workflows/dependabot-automerge.yml
Comment thread .github/workflows/dependabot-automerge.yml Outdated
Comment thread .github/dependabot.yml
Comment thread .github/dependabot.yml
Comment thread .github/dependabot.yml
Comment thread .github/dependabot.yml
Comment thread .github/dependabot.yml
Comment thread .github/dependabot.yml
Address PR #430 review feedback:

- dependabot.yml: add update-types: [minor, patch] to every aws-sdk/
  azure-sdk group. Without it, semver-major bumps for those packages
  were swept into the same group as minor/patch, contradicting the PR
  description that majors stay separate for manual review. Also add
  the missing azure-sdk group to the root npm ecosystem block, which
  has @azure/* dependencies but no matching group.
- dependabot-automerge.yml: switch pull_request to pull_request_target.
  Workflows triggered by Dependabot via pull_request always get a
  read-only GITHUB_TOKEN regardless of the permissions block, which
  would make gh pr merge --auto fail with a permission error.
- dependabot-automerge.yml: gate on the PR author
  (github.event.pull_request.user.login) instead of github.actor, so a
  maintainer clicking "Update branch" doesn't skip auto-merge on an
  otherwise-eligible Dependabot PR.
Move the `paths:` filter out of `on.pull_request` and into a new
`changes` job (dorny/paths-filter) in tests.yml, tests-dotnet-sdk.yml,
tests-nodejs-sdk.yml, tests-python-sdk.yml, and tests-website.yml. The
actual test job now depends on `changes` and is skipped via a
job-level `if:` when its paths didn't change.

This matters for the new Dependabot auto-merge workflow: GitHub's own
docs confirm that a required status check gated by a workflow-level
`paths:` filter never posts a status when skipped, and blocks merging
forever ("Waiting for status to be reported"). A job-level `if:` skip
reports "success" instead, so these checks can now be safely marked
required in branch protection without risking a stuck PR for
ecosystems that don't touch every workflow's paths.

Known gap: there is no CI workflow for the Go or Java SDKs yet, so
gomod/maven Dependabot PRs still have nothing to require. The
auto-merge workflow (previous commit) excludes those two ecosystems
until CI exists for them.
Copilot AI review requested due to automatic review settings July 13, 2026 09:50
@github-actions github-actions Bot added size/L Large change — 200-399 lines / 10-24 files; consider splitting and removed size/M Medium change — 50-199 lines / 5-9 files labels Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.

Comment thread .github/workflows/tests.yml Outdated
Comment thread .github/workflows/tests-website.yml Outdated
Comment thread .github/workflows/tests-python-sdk.yml Outdated
Comment thread .github/workflows/tests-nodejs-sdk.yml Outdated
Comment thread .github/workflows/tests-dotnet-sdk.yml Outdated
Comment thread .github/workflows/tests-python-sdk.yml
Comment thread .github/workflows/tests-nodejs-sdk.yml
Comment thread .github/workflows/tests-dotnet-sdk.yml
…erms

Address PR #430 review feedback on the previous commit's CI refactor:

- tests.yml, tests-website.yml, tests-dotnet-sdk.yml,
  tests-nodejs-sdk.yml, tests-python-sdk.yml: the `dorny/paths-filter`
  step now only runs on `pull_request` (it has no meaningful diff to
  compute for `workflow_dispatch`). The main test job's `if:` now
  short-circuits on `github.event_name == 'workflow_dispatch'` so a
  manual run always executes instead of silently no-oping because
  `needs.changes.outputs.X` was never set.
- tests-dotnet-sdk.yml, tests-nodejs-sdk.yml, tests-python-sdk.yml: add
  job-level `permissions: { contents: read, pull-requests: read }` to
  the new `changes` job. These 3 workflows declare an explicit
  workflow-level `permissions:` block without `pull-requests`, which
  implicitly sets it to `none`. `dorny/paths-filter` calls the PR files
  API by default on `pull_request`, so every PR would have failed the
  `changes` job with a 403 without this.
Copilot AI review requested due to automatic review settings July 13, 2026 13:26
@github-actions github-actions Bot added size/XL Very large change — 400+ lines / 25+ files; should be split and removed size/L Large change — 200-399 lines / 10-24 files; consider splitting labels Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Comment thread .github/workflows/tests-website.yml
Comment thread .github/workflows/tests.yml
tests-website.yml declares no permissions: block, so it inherits the
repo-wide default GITHUB_TOKEN permissions instead of an explicit,
auditable grant. dorny/paths-filter calls the PR files API by default
on pull_request, so make the requirement explicit at the job level
instead of relying on an ambient repo setting that could change.

Matches the same fix already applied to tests-dotnet-sdk.yml,
tests-nodejs-sdk.yml, and tests-python-sdk.yml.
Copilot AI review requested due to automatic review settings July 13, 2026 14:12

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github-actions Updates to GitHub Actions / CI workflows size/XL Very large change — 400+ lines / 25+ files; should be split

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants