fix: rebase-dependabot.sh missing origin/ prefix and update Dependabot docs #467
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dependabot Auto-Merge | |
| on: | |
| pull_request_target: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: dependabot-auto-merge-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| auto-merge: | |
| name: Auto-merge Dependabot PRs | |
| permissions: | |
| # contents:write + pull-requests:write required for gh pr review + gh pr merge --auto. | |
| # This is the minimum for the auto-merge functionality on pull_request_target. | |
| # See Scorecard Token-Permissions: writes are justified here but kept scoped to the job. | |
| contents: write | |
| pull-requests: write | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| if: > | |
| github.event_name == 'pull_request_target' && | |
| github.event.pull_request.user.login == 'dependabot[bot]' | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Fetch Dependabot metadata | |
| id: metadata | |
| uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| skip-commit-verification: true | |
| - name: Approve and enable auto-merge | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| run: | | |
| gh pr review --approve "$PR_URL" | |
| gh pr merge --auto --squash "$PR_URL" | |
| echo "Auto-merge enabled for ${{ steps.metadata.outputs.update-type }} update" | |
| # NOTE: A rebase-dependabot job was removed here. It updated open | |
| # Dependabot PR branches on every push to main, but caused more harm | |
| # than good: GITHUB_TOKEN pushes do not trigger other workflows (GitHub | |
| # infinite-loop prevention), so the rebase invalidated existing CI | |
| # results without starting new ones, leaving PRs stuck in "no required | |
| # checks reported" limbo. With strict_required_status_checks_policy | |
| # disabled in the branch ruleset, PRs can merge when behind main, so | |
| # auto-rebase is unnecessary. Dependabot handles its own rebases when | |
| # conflicts arise. | |
| # | |
| # See AGENTS.md "Handling Dependabot PRs" for the supported process | |
| # (always rebase cleanly when helping a PR; the DCO workflow skips merge | |
| # commits to avoid blocking legitimate updates). This design protects | |
| # our high Scorecard scores (CI-Tests=10, Branch-Protection, etc.). |