Skip to content

Commit 5efea2b

Browse files
committed
feat: combine dependabot PRs via github/combine-prs
Dependabot grouping already merges updates within each ecosystem, but it cannot merge across groups (cargo dev vs prod), across directories (pip's multiple dirs), or across ecosystems. This adds a workflow using github/combine-prs to fold the month's remaining open Dependabot PRs into one combined PR, cutting review noise. It complements dependabot.yml rather than replacing it. Runs monthly a few days after Dependabot's batch, plus manual dispatch, and is a no-op when fewer than two PRs are open. Caveats (we may choose not to land this because of them): - The combined PR is opened with the default GITHUB_TOKEN, so GitHub's anti-recursion rule keeps it from triggering the pull_request workflows -- the combined PR gets no CI of its own. ci_required: true ensures each source PR passed CI individually, but the *combination* is not tested until a human closes and reopens the combined PR. Auto-CI on the combined PR would require a GitHub App token or PAT, i.e. new secrets, which this repo deliberately minimizes. - Only branches with the "dependabot" prefix are combined; any future non-dependabot bot PRs are not swept in. - Behavior against live PRs can only be confirmed on GitHub; trigger the workflow manually once with >= 2 open Dependabot PRs to verify. Closes STOR-577
1 parent a70ca64 commit 5efea2b

1 file changed

Lines changed: 43 additions & 0 deletions

File tree

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
name: Combine Dependabot PRs
2+
3+
# Folds the month's open Dependabot PRs into a single "Combined PRs" PR to cut
4+
# review noise. Dependabot grouping already merges within each ecosystem, but it
5+
# cannot merge across groups (cargo dev vs prod), across directories (pip), or
6+
# across ecosystems -- this sweeps up that remainder.
7+
#
8+
# NOTE on CI: the combined PR is opened with the default GITHUB_TOKEN, so by
9+
# GitHub's anti-recursion rule it does NOT trigger the pull_request workflows.
10+
# `ci_required: true` guarantees each source PR already passed CI individually;
11+
# to validate the *combination*, close and reopen the combined PR (a human
12+
# reopen fires pull_request) so the Main Workflow runs before merge.
13+
14+
on:
15+
# Dependabot runs monthly (see .github/dependabot.yml); run a few days later
16+
# to sweep up that batch. No-op unless >= min_combine_number PRs are open.
17+
schedule:
18+
- cron: "0 6 8 * *"
19+
workflow_dispatch:
20+
21+
# Don't let a manual run race a scheduled run.
22+
concurrency:
23+
group: combine-dependabot-prs
24+
cancel-in-progress: false
25+
26+
jobs:
27+
combine-prs:
28+
runs-on: ubuntu-latest
29+
permissions:
30+
contents: write
31+
pull-requests: write
32+
steps:
33+
- name: Combine Dependabot PRs
34+
uses: github/combine-prs@2909f404763c3177a456e052bdb7f2e85d3a7cb3 # v5.2.0
35+
with:
36+
github_token: ${{ secrets.GITHUB_TOKEN }}
37+
# All Dependabot branches share the "dependabot" prefix.
38+
branch_prefix: dependabot
39+
# Only combine PRs that have already passed CI individually.
40+
ci_required: "true"
41+
pr_title: "chore(deps): combine dependabot pull requests"
42+
# Carry the same label Dependabot applies, so filters keep working.
43+
labels: dependencies

0 commit comments

Comments
 (0)