Skip to content

fix: dco merge skip, dependabot docs, token perms tightening + rebase helper for best scorecard#350

Merged
SebTardif merged 1 commit into
mainfrom
fix/dependabot-scorecard-hygiene-2026-06
Jun 22, 2026
Merged

fix: dco merge skip, dependabot docs, token perms tightening + rebase helper for best scorecard#350
SebTardif merged 1 commit into
mainfrom
fix/dependabot-scorecard-hygiene-2026-06

Conversation

@SebTardif

@SebTardif SebTardif commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

Implements all the safe improvements discussed for Dependabot friction while explicitly protecting (and documenting how to protect) the best possible OpenSSF Scorecard.

Changes:

  • DCO: skip merge commits in addition to [bot] authors (transient only because of squash-merge policy).
  • AGENTS.md: new "Handling Dependabot PRs" section with exact commands, rationale tied to current Scorecard numbers (CI-Tests=10, Branch-Protection, Token-Permissions, Dependency-Update-Tool=10).
  • Token-Permissions: explicit minimal job-level perms + comments on the four workflows flagged in recent scans (auto-approve, dependabot-auto-merge, backport, sign-old-releases).
  • New scripts/rebase-dependabot.sh (shellcheck clean) — the low-risk canonical helper.
  • Updated workflow NOTES to cross-reference the guidance.

No risky changes were made:

  • No re-introduction of the auto-rebase job (known to invalidate CI runs and hurt CI-Tests).
  • No additional skipping of tests/linters for Dependabot PRs (would regress CI-Tests=10).
  • Branch-Protection "up-to-date branches" and full CI expectations remain intact.

Scorecard impact

All changes are neutral-to-positive for the checks that matter:

  • CI-Tests stays at 10 (fresh runs after clean rebases).
  • Branch-Protection hygiene preserved/enhanced via docs.
  • Token-Permissions warnings addressed at source.
  • DCO relaxation is narrowly scoped to merge commits we already discard on squash (consistent with existing bot exemption).

How to review

See commit for full details.

Closes the recurring babysitting pattern for Dependabot while aiming for Scorecard 10.

@github-actions github-actions Bot added size/m 50-249 lines changed area/ci CI/CD workflows area/docs Documentation labels Jun 22, 2026
@SebTardif SebTardif enabled auto-merge (squash) June 22, 2026 15:27
@SebTardif
fix: dco merge skip, dependabot docs, token perms tightening + rebase…
f678701 
… helper for best scorecard

- Update DCO to skip merge commits (in addition to bots). Safe for CI-Tests/Branch-Protection because we squash-merge and this only affects transient update commits. Reduces babysitting.
- Add detailed "Handling Dependabot PRs" section to AGENTS.md with exact rebase process and rationale for preserving Scorecard 9->10 trajectory (CI-Tests=10, Dependency-Update-Tool=10, etc.).
- Tighten/annotate permissions in auto-approve, dependabot-auto-merge, backport, sign-old-releases to address Token-Permissions warns.
- Add scripts/rebase-dependabot.sh (shellcheck-clean) as the low-risk canonical way to update branches without merge commits.
- Updated workflow NOTES to reference the guidance.

None of these regress Branch-Protection, CI-Tests, or Token-Permissions. Auto-rebase job and broad CI skips were deliberately avoided per prior analysis.

Closes the recurring "babysit dependabot" pattern while aiming for maximal Scorecard.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif SebTardif force-pushed the fix/dependabot-scorecard-hygiene-2026-06 branch from 30c0dec to f678701 Compare June 22, 2026 15:28
@SebTardif

SebTardif commented Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Rebased cleanly onto latest main (conflicts were only in the evolved auto-approve.yaml permissions block; resolved by combining current logic with our Token-Permissions tightening comment).

  • mergeable: MERGEABLE now
  • New CI runs queued on the rebased commit (f678701)
  • All our changes (DCO merge-commit skip, AGENTS.md guidance + rebase helper script, permission scoping/comments for Scorecard, updates to related workflows) are on top of current main.

No reviews yet. This should unblock the Dependabot babysitting issues long-term while keeping high Scorecard (CI-Tests, Branch-Protection, Token-Permissions).

Let me know if any adjustments needed!

@SebTardif SebTardif merged commit e301fbd into main Jun 22, 2026
33 checks passed
@SebTardif SebTardif deleted the fix/dependabot-scorecard-hygiene-2026-06 branch June 22, 2026 15:32
@attune-release-bot attune-release-bot Bot mentioned this pull request Jun 22, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

area/ci CI/CD workflows area/docs Documentation size/m 50-249 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SebTardif