Docs: [AEA-0000] - add Dependabot schedule#100
Conversation
There was a problem hiding this comment.
Pull request overview
This PR changes how Dependabot update PRs are auto-approved/auto-merged by moving the logic out of the pull request workflow and into a separate scheduled workflow.
Changes:
- Removed the
dependabot-auto-approve-and-mergereusable-workflow job from the PR workflow. - Added a new scheduled workflow that runs an action to auto-approve Dependabot PRs and enable auto-merge.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/pull_request.yml |
Removes the Dependabot auto-approve/merge job from the PR-triggered workflow. |
.github/workflows/auto_approve_dependabot.yml |
Introduces a scheduled workflow to auto-approve dependency update PRs and enable auto-merge using repository secrets. |
| name: Auto-approve dependency updates | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| schedule: | ||
| - cron: '*/30 * * * *' |
There was a problem hiding this comment.
The PR title/description says it adds a Dependabot schedule, but this change actually adds a scheduled GitHub Actions workflow to auto-approve Dependabot PRs (and the Dependabot update schedule already exists in .github/dependabot.yml). Please update the PR title/description to reflect the actual change to avoid confusion for reviewers/auditors.
| permissions: {} | ||
| jobs: | ||
| dependabot-auto-approve-and-merge: | ||
| needs: quality_checks | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/dependabot-auto-approve-and-merge.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 | ||
| secrets: | ||
| AUTOMERGE_APP_ID: ${{ secrets.AUTOMERGE_APP_ID }} | ||
| AUTOMERGE_PEM: ${{ secrets.AUTOMERGE_PEM }} | ||
| permissions: | ||
| pull-requests: write | ||
| contents: write | ||
|
|
||
| get_config_values: | ||
| uses: NHSDigital/eps-common-workflows/.github/workflows/get-repo-config.yml@e798d5aee897de6f7dc387dd5623fcd9ba4c8929 |
There was a problem hiding this comment.
Previously, the Dependabot auto-approve/merge job was part of the pull_request workflow and was gated on quality_checks via needs. With this removal, approvals/auto-merge enablement may now happen independently of PR quality checks (depending on the scheduled workflow/action behavior). If the intent is still to only enable auto-merge after checks succeed, consider reintroducing an explicit gate/verification step in the new workflow.
| - cron: '*/30 * * * *' | ||
|
|
||
| permissions: {} |
There was a problem hiding this comment.
The scheduled trigger runs every 30 minutes. That frequency is unusually high for an approval/auto-merge helper and can generate unnecessary GitHub Actions load/cost; it also increases the chance of overlapping runs if one execution takes >30 minutes. Consider reducing the cron frequency (e.g., hourly/daily) and/or adding a workflow/job concurrency group to prevent overlapping runs.
| - cron: '*/30 * * * *' | |
| permissions: {} | |
| - cron: '0 * * * *' | |
| permissions: {} | |
| concurrency: | |
| group: auto-approve-dependabot | |
| cancel-in-progress: false |
Add Dependabot schedule to the repository