Skip to content

Add auto-approve and auto-merge for Dependabot PRs#211

Merged
Marenz merged 1 commit intofrequenz-floss:v1.x.xfrom
Marenz:autoup
Oct 30, 2025
Merged

Add auto-approve and auto-merge for Dependabot PRs#211
Marenz merged 1 commit intofrequenz-floss:v1.x.xfrom
Marenz:autoup

Conversation

@Marenz
Copy link
Contributor

@Marenz Marenz commented Oct 30, 2025

Uses our own fork.

@Marenz Marenz requested a review from a team as a code owner October 30, 2025 12:22
@Marenz Marenz requested review from Copilot and llucax October 30, 2025 12:22
@github-actions github-actions bot added part:tooling Affects the development tooling (CI, deployment, dependency management, etc.) part:dispatcher Affects the high-level dispatcher interface labels Oct 30, 2025
Copilot AI reviewed Oct 30, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces an automated workflow for managing Dependabot pull requests. The workflow automatically approves, merges, and labels Dependabot PRs to streamline dependency updates.

Key changes:

  • Adds a GitHub Actions workflow that triggers on all pull requests
  • Configures automatic approval and merging for all Dependabot dependency updates
  • Sets up appropriate permissions for the workflow to modify content and pull requests

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/auto-dependabot.yaml
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- uses: frequenz-floss/dependabot-auto-approve@v1
Copy link

Copilot AI Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a floating version tag (@v1) for a GitHub Action poses security risks. Pin to a specific commit SHA to ensure the workflow uses a known, immutable version. This prevents potential supply chain attacks if the action's v1 tag is moved to malicious code.

Suggested change
- uses: frequenz-floss/dependabot-auto-approve@v1
- uses: frequenz-floss/dependabot-auto-approve@c2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

@Marenz Marenz Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The source repo is under our control, so this adds convenience in staying major-version up-to-date

Copy link

@florian-wagner-frequenz florian-wagner-frequenz Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, no sense pinning it down further unless we see actual issues from now on.

Copy link
Contributor

@llucax llucax Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree, I think pinning is a good practice no matter what, our own repo could also get somehow compromised, and speaking of the devil, dependabot will be there to keep us up to date.

Copy link
Contributor Author

@Marenz Marenz Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

haha, the last argument is a pretty good one in that respect

@Marenz Marenz merged commit 9c4c76b into frequenz-floss:v1.x.x Oct 30, 2025
12 checks passed
@Marenz Marenz deleted the autoup branch October 30, 2025 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@florian-wagner-frequenz florian-wagner-frequenz florian-wagner-frequenz approved these changes

@llucax llucax Awaiting requested review from llucax llucax is a code owner automatically assigned from frequenz-floss/api-dispatch-team

Assignees

No one assigned

Labels

part:dispatcher Affects the high-level dispatcher interface part:tooling Affects the development tooling (CI, deployment, dependency management, etc.)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Marenz @llucax @florian-wagner-frequenz