Skip to content

feat: add direct merge to dependabot update workflow#129

Merged
don-petry merged 1 commit into
mainfrom
feat/dependabot-update-and-merge
Apr 6, 2026
Merged

feat: add direct merge to dependabot update workflow#129
don-petry merged 1 commit into
mainfrom
feat/dependabot-update-and-merge

Conversation

@don-petry

@don-petry don-petry commented Apr 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Enhances the dependabot-rebase workflow to also directly merge eligible PRs
  • Solves the mergeable_state: blocked issue where GitHub auto-merge (--auto) never triggers due to rulesets causing a permanent BLOCKED state
  • Uses the app token for merges so each merge triggers a new push to main, creating a self-sustaining chain that serializes Dependabot PR merges

How it works

On each push to main:

  1. Update behind PRs — merges main into any Dependabot PR branches that are behind
  2. Merge ready PRs — finds the first PR that is up-to-date, has auto-merge enabled, and all checks passing, then merges it directly
  3. Chain reaction — the merge (via app token) triggers another push to main, looping back to step 1

Test plan

  • Merge this PR
  • Open a new Dependabot PR (or wait for next weekly run)
  • Verify the full chain: update → CI → approve → merge → repeat

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Enhanced Dependabot automation to automatically merge dependency update PRs once they are up to date and all required CI checks pass.

GitHub auto-merge (--auto) fails to trigger when rulesets cause
mergeable_state to report "blocked" despite all requirements being met.
Add a direct merge step that checks if PRs are up-to-date with all
checks passing, and merges them using the app token. The app token
merge triggers a new push to main, creating a self-sustaining chain.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 6, 2026 02:33
@coderabbitai

coderabbitai Bot commented Apr 6, 2026

Copy link
Copy Markdown

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6f378444-8fe2-4d2d-a9fe-01cb64e022de

📥 Commits

Reviewing files that changed from the base of the PR and between fda163a and a4d504f.

📒 Files selected for processing (1)
  • .github/workflows/dependabot-rebase.yml

📝 Walkthrough

Walkthrough

The Dependabot workflow is extended to automatically merge PRs after updating branches. When PRs are up-to-date, the workflow checks auto-merge eligibility, verifies CI status passes, and performs squash merges while limiting one merge per run.

Changes

Cohort / File(s) Summary
Dependabot Workflow
.github/workflows/dependabot-rebase.yml
Renamed job from update to update-and-merge and extended control flow: added merge-readiness gating with auto-merge verification, CI status validation via statusCheckRollup, and automatic squash merging via GitHub API; maintains MERGED flag to restrict one merge per workflow run.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • feat: add dependabot-rebase workflow #125: Both PRs modify the same Dependabot workflow and share core logic for iterating Dependabot PRs and computing behind_by, though this PR extends it with auto-merge and merge-gating capabilities.

Suggested reviewers

  • Copilot
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/dependabot-update-and-merge

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

sonarqubecloud Bot commented Apr 6, 2026

Copy link
Copy Markdown

@don-petry don-petry merged commit 1540829 into main Apr 6, 2026
14 of 15 checks passed
@don-petry don-petry deleted the feat/dependabot-update-and-merge branch April 6, 2026 02:34

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the dependabot-rebase GitHub Actions workflow to not only update behind Dependabot PR branches, but also directly merge the first Dependabot PR that appears merge-ready (up-to-date, auto-merge enabled, and checks passing), using an app token to trigger a push-to-main “chain” of successive merges.

Changes:

  • Expand the workflow’s purpose and rename job/step labels to reflect both updating and merging.
  • Add logic to detect up-to-date Dependabot PRs with auto-merge enabled and passing checks, then merge one PR per run via the GitHub API.
  • Keep update-branch behavior for behind PRs using merge (not rebase) to preserve Dependabot commit identity.
Comments suppressed due to low confidence (1)

.github/workflows/dependabot-rebase.yml:33

  • This workflow is designed to "serialize" Dependabot merges via a chain of pushes to main, but without a concurrency group multiple runs can overlap (e.g., a merge-triggered push starts a new run while the previous run is still iterating PRs). That can lead to parallel merge attempts and defeats the one-at-a-time guarantee. Add a workflow/job-level concurrency group (with cancel-in-progress: false to queue) to ensure only one run executes at a time.
on:
  push:
    branches:
      - main

# still recognizes the PR as its own.
# Solution: after every push to main (typically a merged PR), this workflow:
# 1. Updates behind Dependabot PRs using the merge method (not rebase)
# 2. Merges any Dependabot PR that is up-to-date, approved, and passing CI

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header comment says the workflow "merges any Dependabot PR that is up-to-date, approved, and passing CI", but the implementation only checks that auto-merge is enabled and checks are passing (it does not verify reviewDecision/approvals). Either update the comment to match the actual gating, or add an explicit approval check (e.g., reviewDecision == APPROVED) before attempting the merge so behavior matches the documented intent.

Suggested change
# 2. Merges any Dependabot PR that is up-to-date, approved, and passing CI
# 2. Merges any Dependabot PR that is up-to-date, auto-merge-enabled, and passing CI

Copilot uses AI. Check for mistakes.
# Check if all required checks pass (look at overall rollup)
CHECKS_PASS=$(gh pr view "$PR_NUMBER" --repo "$REPO" \
--json statusCheckRollup \
--jq '[.statusCheckRollup[]? | select(.name != null and .status == "COMPLETED") | .conclusion] | all(. == "SUCCESS" or . == "NEUTRAL" or . == "SKIPPED")')

Copilot AI Apr 6, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The jq expression uses all(...) over the list of completed checks; in jq, all on an empty array returns true. If statusCheckRollup is empty (e.g., checks haven't started reporting yet, or the PR has no checks), this would treat the PR as "all checks pass" and attempt to merge. Consider additionally requiring at least one check entry (or using the overall combined status/mergeStateStatus) so merges only happen when CI has actually reported success.

Suggested change
--jq '[.statusCheckRollup[]? | select(.name != null and .status == "COMPLETED") | .conclusion] | all(. == "SUCCESS" or . == "NEUTRAL" or . == "SKIPPED")')
--jq '([.statusCheckRollup[]? | select(.name != null and .status == "COMPLETED") | .conclusion]) as $completed | ($completed | length) > 0 and ($completed | all(. == "SUCCESS" or . == "NEUTRAL" or . == "SKIPPED"))')

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants