Skip to content

Add Dependabot Auto Manage workflow #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: v0.x.x
Choose a base branch
from
Open

Add Dependabot Auto Manage workflow #230

wants to merge 1 commit into from

Conversation

Marenz
Copy link
Contributor

@Marenz Marenz commented Oct 15, 2025

Summary

  • Add GitHub Actions workflow to automatically approve and merge Dependabot PRs
  • Uses ad/dependabot-auto-approve action with merge method
  • Applies to all dependency types and adds 'auto-merged' label

@Copilot Copilot AI review requested due to automatic review settings October 15, 2025 09:32
@github-actions github-actions bot added the part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) label Oct 15, 2025
Copilot
Copilot AI reviewed Oct 15, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds a GitHub Actions workflow to automatically approve and merge Dependabot pull requests, streamlining dependency updates with minimal manual intervention.

  • Introduces automated approval and merging for all Dependabot PRs
  • Configures the workflow to trigger on pull request events with proper permissions
  • Sets up labeling for auto-merged PRs to maintain visibility

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.github/workflows/auto-dependabot.yaml Outdated
@@ -0,0 +1,18 @@
name: Dependabot Auto Manage
on: pull_request
Copy link

Copilot AI Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using 'pull_request' trigger allows external contributors to trigger this workflow. Consider using 'pull_request_target' with additional safety checks, or restrict to specific event types like 'opened' and 'synchronize'.

Suggested change
on: pull_request
on:
pull_request:
types: [opened, synchronize]

Copilot uses AI. Check for mistakes.

@Marenz
Copy link
Contributor Author

Marenz commented Oct 15, 2025

Seems the settings for allowed actions need to be updated to make this one work:

The action ad/dependabot-auto-approve@v1 is not allowed in frequenz-floss/frequenz-client-reporting-python because all actions must be from a repository owned by frequenz-floss, created by GitHub, verified in the GitHub Marketplace, or match one of the patterns: PyO3/maturin-action@, brettcannon/check-for-changed-files@, yoheimuta/action-protolint@*.

@Marenz Marenz force-pushed the add-dependabot-auto-merge branch from d5ee098 to aac7b94 Compare October 15, 2025 09:41
@Marenz
Add Dependabot Auto Manage workflow
04c4e63 
Signed-off-by: Mathias L. Baumann <[email protected]>
@Marenz Marenz force-pushed the add-dependabot-auto-merge branch from aac7b94 to 04c4e63 Compare October 15, 2025 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Marenz