Skip to content

feat: auto-merge green Dependabot patch/minor PRs#69

Merged
seriouslysean merged 1 commit into
mainfrom
feat/dependabot-auto-merge
Jul 14, 2026
Merged

feat: auto-merge green Dependabot patch/minor PRs#69
seriouslysean merged 1 commit into
mainfrom
feat/dependabot-auto-merge

Conversation

@seriouslysean

Copy link
Copy Markdown
Owner

What

Automates what today's Dependabot triage did by hand: once the required ci check (now including the e2e smoke suite from #68) passes on a Dependabot PR, it's squash-merged and the site redeploys — no manual step.

How

workflow_run on CI completion (the documented pattern for privileged responses to Dependabot — its pull_request events get a read-only token):

  1. Gate — the PR must be open, authored by dependabot[bot], head unchanged since the CI run, every commit Dependabot's, and every bumped dependency semver-patch or semver-minor per Dependabot's structured update-type commit metadata (works for both the npm and github-actions ecosystems). Majors and anything unparseable are left open for manual review with a logged reason.
  2. Mergegh pr merge --squash (required ci check is green on the head SHA by construction). A mergeable_state=dirty failure exits clean: another PR merged first, Dependabot rebases, CI re-runs, this workflow re-fires — the serial convergence we watched happen manually with chore(deps-dev): bump oxfmt from 0.57.0 to 0.58.0 #64/chore(deps-dev): bump oxlint from 1.72.0 to 1.74.0 #65 today.
  3. Deploy kickgh workflow run ci.yml --ref main, mirroring update-data.yml's workaround for GITHUB_TOKEN merge pushes not triggering workflows; the dispatched-CI → deploy path was proven live yesterday.

Verification

  • YAML parses; gate's jq/grep pipelines dry-run against merged PR chore(deps): bump astro from 7.0.6 to 7.0.9 #66's real commit data (0 non-bot commits, update-type patch).
  • format/lint green (no code-path changes).
  • Residual: workflow_run workflows only execute from main, so the full loop can't fire pre-merge — first live proof is next Monday's Dependabot batch. Failure mode is the status quo (PR stays open, red run visible).

https://claude.ai/code/session_013ga8yb2vDELdU9x9zZPDtA

Adds a workflow_run-triggered workflow that squash-merges Dependabot
PRs once the required ci check passes, then dispatches CI on main so
the deploy chain fires (same GITHUB_TOKEN suppression workaround as
update-data.yml). Gated on Dependabot's structured update-type commit
metadata: every bump must be semver patch or minor, all commits must
be Dependabot's, and the PR head must match the CI run. Majors and
anything unparseable stay open for manual review. Concurrent green
PRs converge serially via Dependabot's own conflict rebases.

Claude-Session: https://claude.ai/code/session_013ga8yb2vDELdU9x9zZPDtA
@seriouslysean
seriouslysean marked this pull request as ready for review July 14, 2026 18:45
@seriouslysean
seriouslysean merged commit 9530e40 into main Jul 14, 2026
1 check passed
@seriouslysean
seriouslysean deleted the feat/dependabot-auto-merge branch July 14, 2026 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant