Skip to content

Add reusable workflow for Dependabot auto-merge#220

Open
arunshenoy99 wants to merge 10 commits into
mainfrom
enhance/PRESS0-4266
Open

Add reusable workflow for Dependabot auto-merge#220
arunshenoy99 wants to merge 10 commits into
mainfrom
enhance/PRESS0-4266

Conversation

@arunshenoy99

Copy link
Copy Markdown
Member

Proposed changes

Type of Change

Production

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Dependency update
  • Refactoring / housekeeping (changes to files not directly related to functionality)

Development

  • Tests
  • Dependency update
  • Environment update / refactoring
  • Documentation Update

Visual

Checklist

  • I have read the CONTRIBUTING doc
  • I have viewed my change in a web-browser
  • Linting and tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

@arunshenoy99

Copy link
Copy Markdown
Member Author

Lint failures are not related to these changes.

vikasrana1998
vikasrana1998 previously approved these changes Apr 21, 2026
The four excludes keyed on 'name' and 'plugin-repo' referenced values
that do not appear on any web.com matrix combination (those keys are
only added via includes for bluehost/hostgator), so they were silent
no-ops and flagged by actionlint. A single 'brand: web.com' exclude
removes every web.com combination, matching the stated intent that
Web.com has migrated off Cypress.
wpscholar
wpscholar previously approved these changes Apr 22, 2026
circlecube
circlecube previously approved these changes Apr 24, 2026
@arunshenoy99

Copy link
Copy Markdown
Member Author

@wpscholar @circlecube let's not merge this yet. There's a small caveat that I want to discuss in our standup. Thanks!

The previous version armed GitHub native auto-merge, which merges
immediately when the repo has no required status checks configured.
That bypassed CI on consumer repos that didn't enforce required
checks.

Replace with a check-run aggregation gate: caller passes the PR
number and head SHA, this workflow fetches every check run on the
SHA (excluding its own), and merges only once they are all
completed and green. Caller is meant to fire via workflow_run on
the repo's CI workflows so each CI completion gives this job a
chance to evaluate state.
@arunshenoy99 arunshenoy99 dismissed stale reviews from circlecube and wpscholar via d43c690 May 4, 2026 07:40
A failed auto-merge run leaves a check run on the head SHA, which
the gate would then read as a non-pass conclusion and block every
subsequent firing — turning a transient failure (org setting,
network blip, conflict) into a permanent merge block.

Rename the reusable's job to 'dependabot-auto-merge' so the gate
can recognise and skip check runs produced by any invocation of
this reusable on the same SHA, not just the currently-executing
run.
If the check-runs API returns an empty set (transient gap, race),
the previous gate would leave merge_ok=true because the while loop
never executes — and the PR would merge unvalidated. Track
processed count and force defer when zero non-self check runs were
seen.
The per-PR workflow_run model ran the merge logic on every CI
completion for every open Dependabot PR, which burned CI/runner
resources and let independent merges invalidate each other's
lockfile — turning a queue of green PRs into a conflict cascade
that stalled on Dependabot rebasing one PR at a time.

Replace it with a scheduled sweep: callers fire on cron, and the
reusable workflow discovers every open Dependabot PR itself and
merges the eligible ones (open, not draft, mergeable, all check
runs green, an opted-in bump type). Mergeability is re-read per PR
right before merging, so the first merge in a sweep marks its
siblings dirty and they are skipped rather than merged into a
conflict; Dependabot rebases them for the next sweep.

Bump type is classified from the PR title/body (worst bump in a
grouped PR wins); majors and unparseable versions are left for a
human via the update-types input (default patch,minor).

Drops the pr-number/head-sha inputs — callers no longer pass per-PR
context or wire workflow_run. Updates the example caller to the
scheduled model.
Comment thread .github/workflows/example-dependabot-auto-merge.yml Fixed
Comment thread .github/workflows/example-dependabot-auto-merge.yml Fixed
@github-actions

github-actions Bot commented Jun 25, 2026

Copy link
Copy Markdown

AI code review

✅ Strengths

  • Clear, reusable workflow with thoughtful defaults (patch/minor only, squash by default) and comprehensive inline docs for consumers, including pinning guidance and zizmor context.
  • Good security posture: default permissions: {} with job-scoped minimal permissions; no secrets inheritance required; concurrency guard to avoid overlapping sweeps.
  • Robustness considerations: retries when mergeable is UNKNOWN, re-reading PR state before merge, defers on conflicts, honors draft state, and gates on green checks.
  • Helpful dry-run mode and batching approach to reduce CI churn and lockfile thrash.
  • Nice simplification in the matrix exclude list (brand-level exclude) in verify-module-plugin-test.yml.

⚠️ Suggestions (non-blocking)

  • Consider also querying commit statuses (Statuses API) in addition to check runs. Some repos still rely on status contexts that won’t appear as check runs; currently those PRs would always defer.
  • Tighten PR limit validation: either enforce > 0 or update the error message to say “non-negative integer.”
  • Make Dependabot author detection a bit more defensive to cover all forms (e.g., dependabot[bot], app/dependabot) without accidental false negatives/positives.
  • Optionally allow consumers to restrict merges to specific base branches or to honor an opt-out label (e.g., no-automerge), for extra safety.
  • Consider emitting a step/job summary (using $GITHUB_STEP_SUMMARY) with the sweep results for quick visibility.

❌ Issues (blocking)

  • Example caller workflow input reference uses a hyphenated key with dot-notation: inputs.dry-run. In GitHub expressions, hyphenated keys must use bracket notation: inputs['dry-run']. As written, this will not parse/evaluate correctly. See inline note for the exact line.

Verdict

❌ Verdict: Request changes. The workflows look solid overall, but please fix the hyphenated input expression in the example caller workflow. The other notes are optional improvements.


Automation note: This AI review is posted as one regular pull-request conversation comment that GitHub Actions updates in place on each successful workflow run. It does not create or dismiss GitHub Reviews or resolve threads.

The gate reads check-run status via the Checks API, which 403s under
permissions:{} without checks:read — add it to the reusable job and
the example caller so merges are actually evaluated.

Drop secrets:inherit from the example: GITHUB_TOKEN is available to a
called workflow automatically, and inheriting all secrets tripped
zizmor's secrets-inherit audit.

Mark the example's intentional @main reference with a
zizmor: ignore[unpinned-uses] so it no longer fails code scanning;
the header already tells consumers to pin to a commit SHA.

Add a per-repo concurrency group so a manual dispatch cannot overlap
a scheduled sweep (queue, don't cancel, to avoid interrupting a merge).
gh's GraphQL author field reports Dependabot's login as app/dependabot
with is_bot=true, not dependabot[bot]. The old equality check matched
nothing, so every sweep reported 'no open Dependabot PRs found'. Match
on is_bot plus a dependabot login suffix to cover both forms.
GitHub computes PR mergeability asynchronously and returns UNKNOWN until
it settles, so a single read often skipped a perfectly mergeable PR until
the next sweep. Re-read up to five times (re-reading triggers the
computation) before deferring.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants