Skip to content

refactor automerge github action to be more efficient #346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
0xdevalias wants to merge 1 commit into
base: main
Choose a base branch
from
Open

refactor automerge github action to be more efficient #346

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 30 additions & 30 deletions .github/workflows/automerge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,41 +1,41 @@
name: Dependabot auto-merge
on: pull_request
on:
check_suite:
types: [completed]

permissions:
pull-requests: write
contents: write

jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
if: >
${{
github.event.check_suite.conclusion == 'success' &&
github.event.check_suite.pull_requests[0].user.login == 'dependabot[bot]'
}}
steps:
- name: Enable auto-merge for Dependabot PRs
- name: Auto-merge Dependabot PR
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
PR_URL: ${{ github.event.check_suite.pull_requests[0].html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
BASE_BRANCH: ${{ github.event.check_suite.pull_requests[0].base.ref }}
run: |
function get_pending_jobs() {
gh pr view "$PR_URL" --json statusCheckRollup --jq '.statusCheckRollup | map(select(.name != "dependabot")) | map(select(.status != "COMPLETED") | select(.status != "") | select(.status != null)).[]'
}
function get_failed_jobs() {
gh pr view "$PR_URL" --json statusCheckRollup --jq '.statusCheckRollup | map(select(.name != "dependabot")) | map(select(.conclusion != "SUCCESS") | select(.conclusion != "NEUTRAL") | select(.conclusion != "SKIPPED") | select(.conclusion != "") | select(.conclusion != null)).[]'
}
function wait_until_completed() {
while [[ $(get_pending_jobs) ]]
do
sleep 5
done
}
function fail_if_unsuccessful() {
if [[ $(get_failed_jobs) ]]; then
echo "Some jobs failed, unable to automerge"
exit 1
fi
}
function auto_merge() {
gh pr merge --auto --rebase "$PR_URL"
}
wait_until_completed && \
fail_if_unsuccessful && \
auto_merge
set -euo pipefail
echo "Checking branch protection rules for ${BASE_BRANCH}..."

# Make a single API call to get branch protection info
branch_protection_json=$(gh api repos/${REPO}/branches/${BASE_BRANCH}/protection --silent 2>/dev/null || echo '{}')

# Check if required_status_checks is present (not null)
if ! echo "$branch_protection_json" | jq -e '.required_status_checks != null' > /dev/null; then
echo "::error::Branch protection for ${BASE_BRANCH} does not require status checks. Exiting."
exit 1
fi

echo "✅ Branch protection with required status checks is properly configured."
Comment on lines +26 to +37
Copy link
Copy Markdown
Contributor Author

@0xdevalias 0xdevalias Feb 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not 100% sure if this would actually run properly with the default workflow secrets.GITHUB_TOKEN permissions.

I'm also not sure if it's actually needed if we leave this action triggering on check_suite completed. Originally I was going to have the action still trigger on pull_request, but only enable automerge if branch protections + require status checks were enabled, as a failsafe to ensure it wasn't merged prematurely if those protections weren't enabled.

If we're sure that they are enabled for the repo, it may also be fine to just remove the check from this action entirely; in which case it would probably be equally correct to have it trigger on pull_request, or check_suite completed; as the branch protections would be sufficient to ensure it only merges when the checks complete successfully:


echo "Enabling auto-merge for PR: ${PR_URL}..."
gh pr merge --auto --rebase "${PR_URL}"
echo "Auto-merge enabled. The PR will merge automatically once all required checks pass."