Skip to content

feat: Add Dependabot auto-merge workflow #425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: v0.x.x
Choose a base branch
from
Open

feat: Add Dependabot auto-merge workflow #425

wants to merge 1 commit into from

Conversation

@Marenz
Copy link
Contributor

@Marenz Marenz commented Oct 20, 2025

This PR adds a GitHub workflow to automatically manage Dependabot pull requests.

This workflow uses the ad/dependabot-auto-approve@v1 GitHub Action, which may need to be explicitly whitelisted in the organization's settings.

@Marenz Marenz requested a review from a team as a code owner October 20, 2025 13:19
@Marenz Marenz requested review from Copilot and ktickner October 20, 2025 13:19
@github-actions github-actions bot added the part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) label Oct 20, 2025
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds a workflow to automatically approve and merge Dependabot pull requests.

  • Introduces a GitHub Actions workflow gated to Dependabot actor.
  • Configures auto-approval, labeling, and merge behavior for all dependency types.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.github/workflows/auto-dependabot.yaml
@@ -0,0 +1,18 @@
name: Dependabot Auto Manage
on: pull_request
Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Using on: pull_request without restricting event types causes the workflow to be evaluated for every pull request (then skipped via the if condition), creating unnecessary workflow invocations. Restrict with types: [opened, synchronize, reopened] or use pull_request_target if appropriate.

Suggested change
on: pull_request
on:
pull_request:
types: [opened, synchronize, reopened]

Copilot uses AI. Check for mistakes.
.github/workflows/auto-dependabot.yaml
steps:
- uses: ad/dependabot-auto-approve@v1
with:
dependency-type: 'all'
Copy link

Copilot AI Oct 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Auto-merging all dependency types increases risk of merging breaking major updates or dev-only changes without review. Consider narrowing to 'production' or adding a versioning strategy (e.g., limiting to patch/minor) to reduce disruption.

Suggested change
dependency-type: 'all'
dependency-type: 'production'

Copilot uses AI. Check for mistakes.
@Marenz Marenz force-pushed the add-dependabot-workflow branch 2 times, most recently from e063e9b to d455da6 Compare October 20, 2025 13:23
llucax
llucax reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@llucax llucax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like it, but this is probably not the best repository to add this to, because grpc/protobuf updates need manual intervention.

So I would add this as is to some other, non-API, repo first, and after this one is working, we can consider doing one or more of these:

  1. Add a feature to the auto-merge action to only auto-approve PRs that matches some regex (so we can exclude the protobuf/grpc stuff)
  2. Add some step/workflow to automatically fix the protobuf /grpc updates.
  3. Disable protobuf/grpc updates and find another way to update those, normally we should probably only change these dependencies for major updates, there is not harm in supporting older versions, except maybe for patch updates, maybe for those we really want to re-generate the python files. But is something that needs more thought.

llucax
llucax requested changes Oct 21, 2025
View reviewed changes
Copy link
Contributor

@llucax llucax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Marking as needs changes to avoid accidental merges, as merging this will be problematic if protobuf/grpc bumps are automatically merged.

@Marenz Marenz force-pushed the add-dependabot-workflow branch from d455da6 to 7e59a1d Compare October 22, 2025 10:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@llucax llucax llucax requested changes

@ktickner ktickner Awaiting requested review from ktickner ktickner is a code owner automatically assigned from frequenz-floss/api-team

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marenz @llucax