OWASP-BLT · Copilot · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -0,0 +1,54 @@
+# GitHub Actions Workflows
+
+This directory contains automated workflows for the BLT project.
+
+## Dependabot Auto-Merge Workflow
+
+The project uses two workflows to automatically approve and merge dependabot PRs:
+
+### 1. Auto-Approve Dependabot (`auto-approve-dependabot.yml`)
+
+This workflow automatically approves pull requests created by dependabot.
+
+- **Triggers**: When a PR is opened by dependabot
+- **Actions**: Approves the PR using the `cognitedata/auto-approve-dependabot-action`
+- **Permissions**: Requires `pull-requests: write`
+
+### 2. Auto-Merge (`auto-merge.yml`)
+
+This workflow automatically merges dependabot PRs after they have been approved.
+
+- **Triggers**:
+  - When a PR is opened/updated (`pull_request_target`)
+  - When a PR review is submitted (`pull_request_review`)
+  - After the "Approve dependabot" workflow completes (`workflow_run`)
+
+- **Behavior**:
+  1. Waits 5 seconds for approvals to be recorded in GitHub
+  2. Checks if the PR has been approved (retries up to 3 times with 10-second delays)
+  3. If approved, enables auto-merge with squash strategy
+  4. Automatically deletes the branch after merge
+
+- **Permissions**: Requires `contents: write` and `pull-requests: write`
+
+### How It Works Together
+
+1. Dependabot creates a PR
+2. `auto-approve-dependabot.yml` runs and approves the PR
+3. `auto-merge.yml` runs (triggered by the workflow_run event)
+4. `auto-merge.yml` waits for approvals to be recorded
+5. `auto-merge.yml` enables auto-merge on the PR
+6. GitHub automatically merges the PR when all checks pass
+
+### Configuration
+
+The auto-merge workflow uses:
+- **Merge strategy**: Squash (combines all commits into one)
+- **Branch deletion**: Automatic (after merge)
+- **Retry attempts**: 3 attempts with 10-second delays between attempts
+
+### Notes
+
+- The workflow only runs for PRs created by dependabot bots
+- Branch protection rules must allow auto-merge
+- Required status checks must pass before the PR can be merged
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -1,36 +1,92 @@
 name: auto-merge
 
+# This workflow automatically merges dependabot PRs that have been auto-approved
+# It triggers in three scenarios:
+# 1. When a PR is opened/updated (pull_request_target)
+# 2. When a PR review is submitted (pull_request_review)
+# 3. After the "Approve dependabot" workflow completes (workflow_run)
 on:
   pull_request_target:
     types: [opened, synchronize, reopened, ready_for_review]
   pull_request_review:
     types: [submitted]
+  workflow_run:
+    workflows: ["Approve dependabot"]
+    types:
+      - completed
 
 jobs:
   auto-merge:
     runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]' || github.actor == 'dependabot'
+    # Run if:
+    # - The actor is dependabot (for pull_request_target and pull_request_review events)
+    # - The workflow_run was successful (for workflow_run event)
+    if: |
+      github.actor == 'dependabot[bot]' ||
+      github.actor == 'dependabot-preview[bot]' ||
+      github.actor == 'dependabot' ||
+      github.event.workflow_run.conclusion == 'success'
     permissions:
       contents: write
       pull-requests: write
     steps:
+      - name: Get PR number
+        id: get_pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_run" ]; then
+            # Get PR number from workflow_run event
+            pr_number=$(gh api /repos/${{ github.repository }}/pulls --jq '.[] | select(.head.sha=="${{ github.event.workflow_run.head_sha }}") | .number' | head -n 1)
+          else
+            # Get PR number from pull_request event
+            pr_number="${{ github.event.pull_request.number }}"
+          fi
+          echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
+          echo "Found PR number: $pr_number"
+
       - name: Wait for approval and enable auto-merge
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          pr_number="${{ github.event.pull_request.number }}"
-
-          # Check if PR is already approved
-          reviews=$(gh pr view $pr_number --json reviews --jq '.reviews[] | select(.state=="APPROVED") | .state' | wc -l)
-
+          pr_number="${{ steps.get_pr.outputs.pr_number }}"
+
+          if [ -z "$pr_number" ]; then
+            echo "No PR number found, exiting"
+            exit 0
+          fi
+
+          # Wait a bit for approvals to be recorded
+          echo "Waiting 5 seconds for approvals to be recorded..."
+          sleep 5
+
+          # Check if PR is already approved with retry logic
+          max_attempts=3
+          attempt=0
+          reviews=0
+
+          while [ $attempt -lt $max_attempts ]; do
+            reviews=$(gh pr view $pr_number --json reviews --jq '.reviews[] | select(.state=="APPROVED") | .state' | wc -l)
+
+            if [ "$reviews" -gt 0 ]; then
+              echo "PR #$pr_number has $reviews approval(s)"
+              break
+            fi
+
+            attempt=$((attempt + 1))
+            if [ $attempt -lt $max_attempts ]; then
+              echo "No approvals found yet, waiting 10 seconds... (attempt $attempt/$max_attempts)"
+              sleep 10
+            fi
+          done
+
           if [ "$reviews" -gt 0 ]; then
             echo "PR #$pr_number is approved, enabling auto-merge"
-            
+
             # Enable auto-merge with squash strategy
             gh pr merge $pr_number --auto --squash --delete-branch
-            
+
             echo "Auto-merge enabled for dependabot PR #$pr_number"
           else
-            echo "PR #$pr_number is not yet approved, skipping auto-merge"
+            echo "PR #$pr_number is not yet approved after $max_attempts attempts, skipping auto-merge"
           fi
-