Add reusable workflow for Dependabot auto-merge#220
Open
arunshenoy99 wants to merge 10 commits into
Open
Conversation
14 tasks
Member
Author
|
Lint failures are not related to these changes. |
vikasrana1998
previously approved these changes
Apr 21, 2026
The four excludes keyed on 'name' and 'plugin-repo' referenced values that do not appear on any web.com matrix combination (those keys are only added via includes for bluehost/hostgator), so they were silent no-ops and flagged by actionlint. A single 'brand: web.com' exclude removes every web.com combination, matching the stated intent that Web.com has migrated off Cypress.
wpscholar
previously approved these changes
Apr 22, 2026
circlecube
previously approved these changes
Apr 24, 2026
Member
Author
|
@wpscholar @circlecube let's not merge this yet. There's a small caveat that I want to discuss in our standup. Thanks! |
The previous version armed GitHub native auto-merge, which merges immediately when the repo has no required status checks configured. That bypassed CI on consumer repos that didn't enforce required checks. Replace with a check-run aggregation gate: caller passes the PR number and head SHA, this workflow fetches every check run on the SHA (excluding its own), and merges only once they are all completed and green. Caller is meant to fire via workflow_run on the repo's CI workflows so each CI completion gives this job a chance to evaluate state.
A failed auto-merge run leaves a check run on the head SHA, which the gate would then read as a non-pass conclusion and block every subsequent firing — turning a transient failure (org setting, network blip, conflict) into a permanent merge block. Rename the reusable's job to 'dependabot-auto-merge' so the gate can recognise and skip check runs produced by any invocation of this reusable on the same SHA, not just the currently-executing run.
If the check-runs API returns an empty set (transient gap, race), the previous gate would leave merge_ok=true because the while loop never executes — and the PR would merge unvalidated. Track processed count and force defer when zero non-self check runs were seen.
The per-PR workflow_run model ran the merge logic on every CI completion for every open Dependabot PR, which burned CI/runner resources and let independent merges invalidate each other's lockfile — turning a queue of green PRs into a conflict cascade that stalled on Dependabot rebasing one PR at a time. Replace it with a scheduled sweep: callers fire on cron, and the reusable workflow discovers every open Dependabot PR itself and merges the eligible ones (open, not draft, mergeable, all check runs green, an opted-in bump type). Mergeability is re-read per PR right before merging, so the first merge in a sweep marks its siblings dirty and they are skipped rather than merged into a conflict; Dependabot rebases them for the next sweep. Bump type is classified from the PR title/body (worst bump in a grouped PR wins); majors and unparseable versions are left for a human via the update-types input (default patch,minor). Drops the pr-number/head-sha inputs — callers no longer pass per-PR context or wire workflow_run. Updates the example caller to the scheduled model.
AI code review✅ Strengths
|
The gate reads check-run status via the Checks API, which 403s under
permissions:{} without checks:read — add it to the reusable job and
the example caller so merges are actually evaluated.
Drop secrets:inherit from the example: GITHUB_TOKEN is available to a
called workflow automatically, and inheriting all secrets tripped
zizmor's secrets-inherit audit.
Mark the example's intentional @main reference with a
zizmor: ignore[unpinned-uses] so it no longer fails code scanning;
the header already tells consumers to pin to a commit SHA.
Add a per-repo concurrency group so a manual dispatch cannot overlap
a scheduled sweep (queue, don't cancel, to avoid interrupting a merge).
gh's GraphQL author field reports Dependabot's login as app/dependabot with is_bot=true, not dependabot[bot]. The old equality check matched nothing, so every sweep reported 'no open Dependabot PRs found'. Match on is_bot plus a dependabot login suffix to cover both forms.
GitHub computes PR mergeability asynchronously and returns UNKNOWN until it settles, so a single read often skipped a perfectly mergeable PR until the next sweep. Re-read up to five times (re-reading triggers the computation) before deferring.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
Type of Change
Production
Development
Visual
Checklist
Further comments