ci(dependabot): group updates and auto-merge minor/patch bumps#430
ci(dependabot): group updates and auto-merge minor/patch bumps#430macalbert wants to merge 5 commits into
Conversation
Group AWS/Azure SDK and dev/prod minor+patch updates into single PRs per ecosystem (npm, nuget, gomod, maven, pip, github-actions), switch schedule from daily to weekly (Monday), and cap open PRs at 5. This cuts lockfile/format conflicts caused by many small Dependabot PRs sitting open at once. Major version bumps still open as separate PRs for manual review. Add a workflow that enables GitHub auto-merge (squash) on Dependabot PRs when the bump is not a semver-major update, so minor/patch bumps merge unattended once required checks pass. Requires two manual one-time repo settings to take effect safely: "Allow auto-merge" in Settings > General, and a branch protection rule on main with required status checks (currently none are required).
|
Important Review skippedIgnore keyword(s) in the title. ⛔ Ignored keywords (3)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the Dependabot configuration by changing the update interval from daily to weekly and introducing dependency grouping across various ecosystems to streamline updates. The review feedback points out a missing azure-sdk group configuration in the root npm ecosystem, which should be added for consistency with the other SDK configurations.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
This PR reduces dependency-update noise by grouping Dependabot updates and adding an Actions workflow to enable auto-merge for Dependabot minor/patch PRs.
Changes:
- Adjust Dependabot schedules from daily to weekly, cap open PRs, and introduce grouping across ecosystems.
- Add a workflow to enable GitHub auto-merge (squash) for Dependabot PRs that are not semver-major updates.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| .github/workflows/dependabot-automerge.yml | New workflow to enable auto-merge on Dependabot PRs (excluding semver-major). |
| .github/dependabot.yml | Grouping + weekly schedules + PR limit configuration to reduce PR noise and conflicts. |
Address PR #430 review feedback: - dependabot.yml: add update-types: [minor, patch] to every aws-sdk/ azure-sdk group. Without it, semver-major bumps for those packages were swept into the same group as minor/patch, contradicting the PR description that majors stay separate for manual review. Also add the missing azure-sdk group to the root npm ecosystem block, which has @azure/* dependencies but no matching group. - dependabot-automerge.yml: switch pull_request to pull_request_target. Workflows triggered by Dependabot via pull_request always get a read-only GITHUB_TOKEN regardless of the permissions block, which would make gh pr merge --auto fail with a permission error. - dependabot-automerge.yml: gate on the PR author (github.event.pull_request.user.login) instead of github.actor, so a maintainer clicking "Update branch" doesn't skip auto-merge on an otherwise-eligible Dependabot PR.
Move the `paths:` filter out of `on.pull_request` and into a new
`changes` job (dorny/paths-filter) in tests.yml, tests-dotnet-sdk.yml,
tests-nodejs-sdk.yml, tests-python-sdk.yml, and tests-website.yml. The
actual test job now depends on `changes` and is skipped via a
job-level `if:` when its paths didn't change.
This matters for the new Dependabot auto-merge workflow: GitHub's own
docs confirm that a required status check gated by a workflow-level
`paths:` filter never posts a status when skipped, and blocks merging
forever ("Waiting for status to be reported"). A job-level `if:` skip
reports "success" instead, so these checks can now be safely marked
required in branch protection without risking a stuck PR for
ecosystems that don't touch every workflow's paths.
Known gap: there is no CI workflow for the Go or Java SDKs yet, so
gomod/maven Dependabot PRs still have nothing to require. The
auto-merge workflow (previous commit) excludes those two ecosystems
until CI exists for them.
…erms Address PR #430 review feedback on the previous commit's CI refactor: - tests.yml, tests-website.yml, tests-dotnet-sdk.yml, tests-nodejs-sdk.yml, tests-python-sdk.yml: the `dorny/paths-filter` step now only runs on `pull_request` (it has no meaningful diff to compute for `workflow_dispatch`). The main test job's `if:` now short-circuits on `github.event_name == 'workflow_dispatch'` so a manual run always executes instead of silently no-oping because `needs.changes.outputs.X` was never set. - tests-dotnet-sdk.yml, tests-nodejs-sdk.yml, tests-python-sdk.yml: add job-level `permissions: { contents: read, pull-requests: read }` to the new `changes` job. These 3 workflows declare an explicit workflow-level `permissions:` block without `pull-requests`, which implicitly sets it to `none`. `dorny/paths-filter` calls the PR files API by default on `pull_request`, so every PR would have failed the `changes` job with a 403 without this.
tests-website.yml declares no permissions: block, so it inherits the repo-wide default GITHUB_TOKEN permissions instead of an explicit, auditable grant. dorny/paths-filter calls the PR files API by default on pull_request, so make the requirement explicit at the job level instead of relying on an ambient repo setting that could change. Matches the same fix already applied to tests-dotnet-sdk.yml, tests-nodejs-sdk.yml, and tests-python-sdk.yml.
Pull Request
What does this PR do?
Reduces Dependabot PR noise and lockfile/format conflicts caused by many
small updates sitting open at once, and makes CI safe to require for
auto-merge:
.github/dependabot.yml: addsgroups:(aws-sdk/azure-sdk, eachscoped to
update-types: [minor, patch]so major bumps stayungrouped, +
dev-minor-patch/prod-minor-patch) to every ecosystemblock (npm root, npm Node.js SDK, nuget, gomod, maven, pip,
github-actions), switches
schedule.intervalfromdailytoweekly(Monday), and addsopen-pull-requests-limit: 5..github/workflows/dependabot-automerge.yml(new): enables GitHubauto-merge (squash) on Dependabot PRs via
dependabot/fetch-metadata@v2,gated on
update-type != version-update:semver-major. Usespull_request_target(Dependabot PRs get a read-onlyGITHUB_TOKENon plain
pull_request) and gates on the PR author, notgithub.actor.Excludes
dependabot/go_modules/anddependabot/maven/branches:there is no CI workflow for the Go or Java SDKs yet, so there would be
nothing to wait for.
tests.yml,tests-website.yml,tests-dotnet-sdk.yml,tests-nodejs-sdk.yml,tests-python-sdk.yml: moved thepaths:filter out of
on.pull_requestinto a newchangesjob(
dorny/paths-filter), with the real test job gated byneeds: changes+ a job-levelif:. A required check gated by aworkflow-level
paths:filter never posts a status when skipped andblocks merging forever (confirmed in GitHub's own docs); a job-level
if:skip reports "success" instead, so these checks can now besafely marked required in branch protection.
workflow_dispatchrunsalways execute regardless of the path filter.
No dependencies or lockfiles were touched by hand.
Related issues
N/A
Type of change
Checklist
pnpm lintandsecretlinton changed files)Notes for reviewer
This PR alone is not enough for auto-merge to be safe. Two manual one-time
repo settings still need to be enabled (checked via
gh api, currently bothmissing):
allow_auto_merge: false).mainwith required status checks: markpowerup-test,test-dotnet-sdk,test-nodejs-sdk,test-python-sdk, andwebsite-cias required (currentlyrequired_status_checks.checks: [], i.e. none required). These jobsare now safe to require because of the
changes-job refactor above.Known gap: gomod/maven Dependabot PRs have no CI to require yet
(no Go/Java SDK test workflow exists), so the auto-merge workflow
explicitly excludes those two ecosystems until CI is added for them.