Fix dependabot YAML parse in auto-merge workflow#21
Merged
Conversation
The Approve PR step in dependabot-automerge.yml had an inline
`${{ steps.decide.outputs.reason }}` expansion inside an unquoted
flow-scalar `run:` value. The expansion produces a string containing
`: ` (e.g. "major update — manual review required"), which strict YAML
parsers reject with "mapping values are not allowed here." GitHub
Actions' parser was lenient enough to run it, but Dependabot's parser
failed the file and refused to update PRs, posting "Dependabot can't
parse your dependabot-automerge.yml" on every dependency PR.
Fix: move the interpolation into env: (REASON) and switch all three
`run:` lines to block scalars. This also matches the GitHub-recommended
pattern that protects against shell injection if an upstream value ever
contains shell metacharacters.
Also drops references to labels that were removed in the label-cleanup
pass (feature, fix, chore) from release.yml's changelog config; those
labels no longer exist on the repo so their bucket entries were dead.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a YAML parsing incompatibility that caused Dependabot to reject the repository’s dependabot-automerge workflow file (even though GitHub Actions executed it), which in turn blocked Dependabot commands like @dependabot recreate / @dependabot rebase.
Changes:
- Refactored the auto-merge workflow’s
run:commands to use block scalars (|) and moved${{ ... }}interpolation intoenv:variables to satisfy stricter YAML parsers. - Removed references to deleted labels from the release-notes category configuration.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/dependabot-automerge.yml |
Prevents Dependabot YAML parse failures by avoiding problematic inline ${{ }} expansion in plain scalars and standardizing `run: |
.github/release.yml |
Cleans up changelog label categories by removing references to labels that no longer exist. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the "Dependabot can't parse your dependabot-automerge.yml" comment that has been posted on every Dependabot PR (#2, #3, #6, #10) by moving an inline
${{ }}expansion out of an unquotedrun:flow scalar. Also drops three label references fromrelease.ymlthat pointed at labels removed in the same session's label-cleanup pass.What changed
.github/workflows/dependabot-automerge.ymlrun:line embedded${{ steps.decide.outputs.reason }}directly inside a double-quoted string on the same line as therun:key. The interpolation result contains:(e.g."major update — manual review required"), so the resulting line had a second:after the key, which strict YAML parsers reject with"mapping values are not allowed here". GitHub Actions' lenient parser ran it fine, but Dependabot's parser failed the whole file and stopped updating PRs.env:var (REASON) and switch all threerun:lines to block scalars (|). This also matches GitHub's recommended pattern that avoids shell-injection if the upstream value ever contains shell metacharacters.env:/block-scalar shape to the other tworun:lines for consistency..github/release.ymlfeature,fix,chore) under the Features / Bug Fixes / Internal buckets. Those labels were deleted in the repo-side label cleanup pass, so leaving them in the changelog config was just noise.Why
Dependabot has been unable to update any open Dependabot PR for the past week because of the parse error. Merging this should unblock
@dependabot recreate/@dependabot rebaseon #2, #3, #6, and #10.Test plan
python -c "import yaml; yaml.safe_load(open('.github/workflows/dependabot-automerge.yml'))"parses cleanly (it failed before the fix at line 73 col 68).@dependabot recreateon one of the open Dependabot PRs and confirm the parse-error comment no longer appears.No code paths in the app are touched, so no
dotnet build/dotnet testis needed.Release
VERSION?Related
Companion to the repo-side label cleanup (deleted
documentation,feature,fix,chore, and six unused GitHub defaults; renamedappdescription to drop the stale "WPF" mention).