Add Dependabot auto-merge workflows (ROSA-745)

[MitaliBhalla]

Summary

Enables Dependabot auto-merge for routine dependency updates (ROSA-745 / ROSAENG-751), aligned with the openshift/backplane-cli pilot (SREP-2438).

Changes

• dependabot-auto-merge.yml: enables auto-merge for patch, minor, and digest Dependabot PRs after required CI passes; major updates remain manual (PR comment only).
• branch-protection-check.yml: weekly workflow to verify Dependabot config and auto-merge workflow are present.

Notes

• Restricted to dependabot[bot] and the openshift org.
• Relies on existing ci/prow/* required checks (configured via DPP-20685).
• Does not change merge policy beyond enabling the automation path once checks are green.

Test plan

• CI / required checks pass on this PR
• Review workflow YAML
• After merge: confirm a future Dependabot patch/minor PR can enable auto-merge when checks pass

Made with Cursor

Summary by CodeRabbit

• Chores
  • Enabled automated merging of Dependabot pull requests for safe updates (patch, minor, digest) using squash merges when possible.
  • Major version updates now require manual review; PRs include a clear explanatory note when auto-merge is disabled.
  • Added a scheduled and manual validation workflow that checks dependency-management configuration and required automation, failing with clear messages if checks are missing.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a Dependabot auto-merge GitHub Actions workflow that enables squash auto-merge for patch/minor/digest updates and comments for major updates, plus a weekly/manual branch-protection/config check that verifies .github/dependabot.yml and the auto-merge workflow file exist.

Changes

Dependabot Automation

Layer / File(s)	Summary
Branch protection / config validation .github/workflows/branch-protection-check.yml	Scheduled/manual workflow verifies presence of .github/dependabot.yml and .github/workflows/dependabot-auto-merge.yml, failing if missing.
Workflow metadata & permissions .github/workflows/dependabot-auto-merge.yml	Workflow name, PR trigger configuration, and job permissions to enable auto-merge and post comments.
Job guard and job definition .github/workflows/dependabot-auto-merge.yml	Job if-guard restricts execution to dependabot[bot] PRs on openshift; defines the auto-merge job.
Dependabot metadata extraction .github/workflows/dependabot-auto-merge.yml	Uses dependabot/fetch-metadata@v2 to populate update-type, dependency names, and version fields for downstream decisions.
Safe-update auto-merge path .github/workflows/dependabot-auto-merge.yml	For patch/minor/digest updates: fetches PR node ID, calls GraphQL enablePullRequestAutoMerge with mergeMethod: SQUASH, and posts a structured comment if enablement fails (comment failure tolerated).
Major-update manual-review path .github/workflows/dependabot-auto-merge.yml	For semver-major updates: posts a manual-review comment explicitly disabling auto-merge; comment POST failure causes step failure.
Decision logging .github/workflows/dependabot-auto-merge.yml	Logs whether auto-merge would be enabled or disabled based on the extracted update type.

Sequence Diagram(s)

sequenceDiagram
  participant Dependabot
  participant ActionsRunner
  participant GitHubREST
  participant GitHubGraphQL
  participant PullRequest

  Dependabot->>ActionsRunner: PR opened (dependabot[bot])
  ActionsRunner->>ActionsRunner: fetch metadata (dependabot/fetch-metadata)
  ActionsRunner->>GitHubREST: GET PR to obtain node_id
  alt update-type is patch/minor/digest
    ActionsRunner->>GitHubGraphQL: enablePullRequestAutoMerge(node_id, SQUASH)
    GitHubGraphQL-->>ActionsRunner: success/failure
    alt failure
      ActionsRunner->>GitHubREST: POST comment describing enable failure (|| true)
    end
  else update-type is semver-major
    ActionsRunner->>GitHubREST: POST manual-review comment (fail on non-2xx)
  end
  ActionsRunner->>PullRequest: log enable/disable decision

Loading

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description deviates significantly from the template. It lacks the 'What is being added?' section, omits the required checklist, provides no manual test steps, and uses an alternative format.	Restructure the description to follow the template: include 'What is being added?' section, complete the checklist (testing, unit tests, documentation), and provide explicit manual test steps to verify the workflows function correctly.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding Dependabot auto-merge workflows for the ROSA-745 initiative.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds GitHub Actions workflows (YAML). No Go test code or Ginkgo tests modified. Custom check for Ginkgo test names is not applicable.
Test Structure And Quality	✅ Passed	Check not applicable. PR adds GitHub Actions workflows (YAML) with no Ginkgo test code. The check requires reviewing Ginkgo test patterns which are absent.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR only includes GitHub Actions workflow YAML files for Dependabot automation and branch protection. Check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds GitHub Actions workflow YAML files only, not Ginkgo e2e tests. SNO compatibility check applies exclusively to new e2e tests; no such tests present.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds GitHub Actions workflows only. Topology-aware scheduling check applies to deployment manifests and operator code, not GitHub Actions. Check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR adds only GitHub Actions workflow YAML files (.github/workflows/). No OTE binary, Go source, or test code present. Check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds only GitHub Actions workflow files (.yml), not Ginkgo e2e tests. The check applies specifically to e2e tests and is not applicable here.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign joshbranham for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 75-78: The current success check only tests the HTTP status in
variable "$response" and can misreport GraphQL failures; update the script to
also inspect the JSON body written to /tmp/response.json and only treat the call
as successful if "$response" equals 200 AND the JSON has no "errors" (e.g. jq
'.errors | length == 0') AND contains the expected "data" payload for the
mutation (e.g. jq '.data.<expectedField> != null' where <expectedField> is the
GraphQL mutation/field you expect). Modify the if condition that checks
"$response" and replace it with a combined check that validates the status plus
the jq checks against /tmp/response.json, falling back to the existing else
branch when any of those validations fail.
- Around line 3-6: Change the workflow trigger from pull_request to
pull_request_target so the GITHUB_TOKEN has write permissions for auto-merge and
comment operations, and remove or restrict the current actions/checkout@v4 usage
so the job does not check out the untrusted PR head code (only fetch metadata/PR
info or omit checkout entirely); ensure any steps that mutate the repo (enable
auto-merge, post comments) run under pull_request_target and that you do not
perform a full checkout of PR code in the dependabot-auto-merge workflow.
- Around line 85-90: The two curl POST commands that create PR comments (the
requests to "https://api.github.com/repos/${{ github.repository }}/issues/${{
github.event.pull_request.number }}/comments") currently use curl -s with no
HTTP status validation; update both comment-posting curl invocations to mirror
the GraphQL request pattern by using curl -s -w "%{http_code}" -o
/tmp/response.json (or similar), capture the HTTP status, and fail the job or
log an error if the status is not 2xx, ensuring the response body is available
for diagnostics and the workflow does not silently ignore failed comment posts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 971e46b2-28bf-4619-9846-193274a1da26

📥 Commits

Reviewing files that changed from the base of the PR and between 1c25ce1 and 701f3e9.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Line 55: The jq check in the workflow uses `.errors | length == 0`, which
fails when `.errors` is missing; update the jq filter in the existing command to
treat a missing errors field as an empty array (use the fallback operator so the
expression becomes something like using `.errors // []` and then checking its
length) so successful GraphQL responses without an `.errors` key evaluate as
success; keep the surrounding `jq -e ... /tmp/response.json >/dev/null 2>&1 ||
return 1` invocation intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1d774082-825f-42a7-a600-0f6140189757

📥 Commits

Reviewing files that changed from the base of the PR and between a056d99 and e4e1579.

📒 Files selected for processing (1)

• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/dependabot-auto-merge.yml (1)

55-55: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

GraphQL success check fails on successful responses (no .errors field).

When GitHub GraphQL returns a successful response, it omits the .errors field entirely. The expression .errors | length on a missing field yields null, and null == 0 is false, causing jq -e to exit non-zero. This incorrectly treats successful auto-merge calls as failures.

Proposed fix

           graphql_auto_merge_ok() {
             local http_code="$1"
             [[ "$http_code" == "200" ]] || return 1
-            jq -e '.errors | length == 0' /tmp/response.json >/dev/null 2>&1 || return 1
+            jq -e '(.errors // []) | length == 0' /tmp/response.json >/dev/null 2>&1 || return 1
             jq -e '.data.enablePullRequestAutoMerge.pullRequest != null' /tmp/response.json >/dev/null 2>&1
           }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml at line 55, The jq check in the
workflow uses the expression that assumes .errors exists, which fails when
GraphQL omits .errors on success; update the jq filter on the line containing
"jq -e '.errors | length == 0' /tmp/response.json" to first default a missing
.errors to an empty array (using jq's alternate/default operator) and then test
the length equals zero so successful responses without an errors field are
treated as success.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Line 55: The jq check in the workflow uses the expression that assumes .errors
exists, which fails when GraphQL omits .errors on success; update the jq filter
on the line containing "jq -e '.errors | length == 0' /tmp/response.json" to
first default a missing .errors to an empty array (using jq's alternate/default
operator) and then test the length equals zero so successful responses without
an errors field are treated as success.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9ecdb027-bacf-445b-b705-9e33bdcd3f3c

📥 Commits

Reviewing files that changed from the base of the PR and between 2040247 and 552cc0a.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/branch-protection-check.yml

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[MitaliBhalla]

On hold — pausing this per-repo workflow rollout while we switch to the boilerplate / MintMaker (Renovate) path for ROSA-745. Please do not merge; we will close or reopen after the platform PR lands.