Conversation
uniqueck
force-pushed
the
feature/addDependabotAutomation
branch
from
79edc45 to
8c4330c
Compare
uniqueck
force-pushed
the
feature/addDependabotAutomation
branch
from
8c4330c to
ef7e371
Compare
uniqueck
force-pushed
the
feature/addDependabotAutomation
branch
from
ef7e371 to
6920f06
Compare
uniqueck
force-pushed
the
feature/addDependabotAutomation
branch
from
6920f06 to
7cbfc14
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR introduces automated workflows for managing Dependabot pull requests, including metadata extraction, auto-labeling, auto-approval, and auto-merging capabilities.
- Adds a reusable workflow for extracting Dependabot metadata with comprehensive output parameters
- Implements automated labeling system to categorize dependencies by type (production, development, indirect)
- Introduces conditional auto-approval and auto-merge for patch version updates
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/dependabot-metadata.yml | Creates reusable workflow to fetch and expose Dependabot PR metadata |
| .github/workflows/dependabot-auto-merge.yml | Implements auto-merge functionality for patch updates |
| .github/workflows/dependabot-auto-label.yml | Adds automatic labeling based on dependency type |
| .github/workflows/dependabot-auto-approve.yml | Provides auto-approval for patch version updates |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| description: 'GitHub token for authentication' | ||
| required: false | ||
| type: string | ||
| default: ${{ github.token }} |
There was a problem hiding this comment.
The default value uses ${{ github.token }} which is deprecated. Use ${{ github.token }} or better yet, remove the default and make the token required, or use ${{ secrets.GITHUB_TOKEN }} as the default.
| default: ${{ github.token }} | |
| default: ${{ secrets.GITHUB_TOKEN }} |
| - name: Enable auto-merge for Dependabot PRs | ||
| if: needs.get-metadata.outputs.update-type == 'version-update:semver-patch' |
There was a problem hiding this comment.
Auto-merging based solely on patch version updates may be risky. Consider adding additional conditions like successful CI checks or specific dependency allowlists to prevent potentially breaking changes from being automatically merged.
| - name: Enable auto-merge for Dependabot PRs | |
| if: needs.get-metadata.outputs.update-type == 'version-update:semver-patch' | |
| - name: Check dependency allowlist | |
| id: allowlist | |
| run: | | |
| ALLOWLIST="lodash,react,express" | |
| DEPENDENCY="${{ needs.get-metadata.outputs.dependency-name }}" | |
| if [[ ",$ALLOWLIST," == *",$DEPENDENCY,"* ]]; then | |
| echo "allowed=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "allowed=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Enable auto-merge for Dependabot PRs | |
| if: needs.get-metadata.outputs.update-type == 'version-update:semver-patch' && steps.allowlist.outputs.allowed == 'true' && github.event.pull_request.mergeable_state == 'clean' |
There was a problem hiding this comment.
@uniqueck, PRs can't be merge without a success CI build anyway, right?
| - name: Enable auto-merge for Dependabot PRs | ||
| if: needs.get-metadata.outputs.update-type == 'version-update:semver-patch' |
There was a problem hiding this comment.
@uniqueck, PRs can't be merge without a success CI build anyway, right?
| description: 'GitHub token for authentication' | ||
| required: false | ||
| type: string | ||
| default: ${{ github.token }} |
shoelzle
force-pushed
the
feature/addDependabotAutomation
branch
from
7cbfc14 to
83cb363
Compare
shoelzle
force-pushed
the
feature/addDependabotAutomation
branch
from
83cb363 to
c7aa5fc
Compare
|
2 participants
No description provided.