Skip to content

feat: reusable dependabot-automerge workflow (S-konservoppnaren)#3

Open
Mr-RedHat-fb wants to merge 1 commit into
mainfrom
feat/dependabot-automerge
Open

feat: reusable dependabot-automerge workflow (S-konservoppnaren)#3
Mr-RedHat-fb wants to merge 1 commit into
mainfrom
feat/dependabot-automerge

Conversation

@Mr-RedHat-fb

Copy link
Copy Markdown
Contributor

Summary

  • Adds dependabot-automerge.yml, a workflow_call reusable workflow: reads Dependabot own PR metadata (dependabot/fetch-metadata, not the title string) and queues gh pr merge --auto for minor/patch bumps only. Majors are left untouched for a human.
  • Same one-source-of-truth discipline as go-bash-ci.yml / docs/ci.md: the merge mechanics live here once; the policy words (S-konservoppnaren, 2026-07-02) go to alfred-intelligence/.github-private/DECISIONS.md in a separate PR.
  • Documents the caller snippet and the two one-time repo-admin prerequisites (--enable-auto-merge, required checks already enforced) in docs/ci.md + README index entry.
  • Does not wire this into any consumer repo yet - that rollout is a deliberate follow-up per repo.

Test plan

  • actionlint / shellcheck CI on this repo passes
  • Manual dry-run on one low-stakes repo before wider rollout
  • Confirm dependabot/fetch-metadata@v2 output values match the if: conditions
  • Confirm merge-method input matches each consumers actual convention before wiring in (shy/shybook forbid squash)

Operator decision (2026-07-02): the operator never sees Dependabot PRs;
fleet opens the tins. This adds the mechanics half of that policy as a
workflow_call reusable, following the same one-source-of-truth discipline
as go-bash-ci.yml — semver-level decision comes from Dependabot's own
metadata (dependabot/fetch-metadata), not string-matching the PR title.

minor/patch -> gh pr merge --auto (repo's own required checks still gate
the actual merge; this workflow never bypasses branch protection or org
rulesets). major -> left untouched for a human.

Not wired into any consumer repo yet — rollout is a deliberate follow-up
per repo, alongside the one-time `gh repo edit --enable-auto-merge` and a
FLEET_MERGE_TOKEN secret each consumer must set.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0178WxRJfA1zsYd7X1phqdsv
@pr-insights-tagger

Copy link
Copy Markdown

PR Analysis Summary

Risk Level Complexity Files Changed

📧 Email-friendly summary
Risk: 🔴 High Risk | Complexity: 🟢 1.47/10 | Files: 3

Change Metrics

Metric Value
Lines Added +115
Lines Deleted -0
Files Modified 3
Complexity Score 🟢 1.47/10
Risk Assessment 🔴 High Risk

Risk factors:

  • .github/workflows/dependabot-automerge.yml (CI/CD workflow changes)

Classification

size:medium type:feature risk:high docs:markdown config:files

Files by Type

md ▰▰▰▰▱▱▱▱▱▱▱▱▱▱▱▱▱▱▱▱ 2 files
yml ▰▰▱▱▱▱▱▱▱▱▱▱▱▱▱▱▱▱▱▱ 1 file

💡 Recommendations

  1. High-risk changes detected - extra review attention recommended
  2. Significant code additions - ensure adequate test coverage

Analyzed by Woden Tagger • Automated PR insights for better code reviews
💡 Want enhanced Github Projects/Notes and to turn Issues into a Service Desk? Check out Woden Desk

@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants