feat: auto-merge green Dependabot patch/minor PRs#69
Merged
Conversation
Adds a workflow_run-triggered workflow that squash-merges Dependabot PRs once the required ci check passes, then dispatches CI on main so the deploy chain fires (same GITHUB_TOKEN suppression workaround as update-data.yml). Gated on Dependabot's structured update-type commit metadata: every bump must be semver patch or minor, all commits must be Dependabot's, and the PR head must match the CI run. Majors and anything unparseable stay open for manual review. Concurrent green PRs converge serially via Dependabot's own conflict rebases. Claude-Session: https://claude.ai/code/session_013ga8yb2vDELdU9x9zZPDtA
seriouslysean
marked this pull request as ready for review
July 14, 2026 18:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Automates what today's Dependabot triage did by hand: once the required
cicheck (now including the e2e smoke suite from #68) passes on a Dependabot PR, it's squash-merged and the site redeploys — no manual step.How
workflow_runon CI completion (the documented pattern for privileged responses to Dependabot — itspull_requestevents get a read-only token):dependabot[bot], head unchanged since the CI run, every commit Dependabot's, and every bumped dependencysemver-patchorsemver-minorper Dependabot's structuredupdate-typecommit metadata (works for both the npm and github-actions ecosystems). Majors and anything unparseable are left open for manual review with a logged reason.gh pr merge --squash(requiredcicheck is green on the head SHA by construction). Amergeable_state=dirtyfailure exits clean: another PR merged first, Dependabot rebases, CI re-runs, this workflow re-fires — the serial convergence we watched happen manually with chore(deps-dev): bump oxfmt from 0.57.0 to 0.58.0 #64/chore(deps-dev): bump oxlint from 1.72.0 to 1.74.0 #65 today.gh workflow run ci.yml --ref main, mirroringupdate-data.yml's workaround for GITHUB_TOKEN merge pushes not triggering workflows; the dispatched-CI → deploy path was proven live yesterday.Verification
patch).workflow_runworkflows only execute from main, so the full loop can't fire pre-merge — first live proof is next Monday's Dependabot batch. Failure mode is the status quo (PR stays open, red run visible).https://claude.ai/code/session_013ga8yb2vDELdU9x9zZPDtA