From c949f2c5cf9b942feace74810748e20b88ebd54d Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Sat, 11 Jul 2026 09:18:54 +0200 Subject: [PATCH] ci(deps): keep actions, docker base and pip deps updated automatically Dependabot opens weekly PRs for the three update surfaces: github-actions (grouped into one PR; the first one also clears the Node 20 deprecation warning on checkout@v4 and upload-artifact@v4), the python base image, and the pip dependencies. A companion workflow enables auto-merge for minor and patch bumps so they land on their own once the required make test check is green; major bumps stay manual. Requires two repo settings: allow auto-merge, and a branch protection rule on main with make test as required status check, which is the gate that keeps auto-merge from landing untested changes. Co-Authored-By: Claude Fable 5 --- .github/dependabot.yml | 21 +++++++++++++++ .github/workflows/dependabot-auto-merge.yml | 29 +++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..884b0d0 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,21 @@ +--- +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + actions: + patterns: + - "*" + + - package-ecosystem: docker + directory: / + schedule: + interval: weekly + + - package-ecosystem: pip + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..cdf4db5 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,29 @@ +--- +name: Dependabot auto-merge + +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + auto-merge: + # Enable auto-merge for minor/patch dependency bumps; majors stay manual. + # The merge only happens once every required status check (make test) is + # green, so the CI stays the gate. + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Fetch dependency metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Enable auto-merge (minor + patch) + if: steps.metadata.outputs.update-type != 'version-update:semver-major' + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}