Skip to content

Modernize Dependabot auto-merge#607

Open
koppor wants to merge 1 commit into
mainfrom
modern-automerge
Open

Modernize Dependabot auto-merge#607
koppor wants to merge 1 commit into
mainfrom
modern-automerge

Conversation

@koppor

@koppor koppor commented Jul 15, 2026

Copy link
Copy Markdown
Member

🤖

  • What kind of change does this PR introduce?

CI / infrastructure. Modernizes the Dependabot auto-merge workflow.

  • What is the current behavior?

automerge.yml uses the third-party pascalgn/automerge-action@v0.8.4. That action merges based on GitHub's mergeable state and does not reliably wait for status checks, so it both predates and races the required-checks model. With branch protection now requiring backend and frontend, the old action just errors on PRs it cannot merge (e.g. the core-js 2→3 bump run shows a failure).

  • What is the new behavior (if this is a feature change)?

Replaces it with GitHub's native auto-merge:

  • gh pr merge --auto --squash enables auto-merge on each Dependabot PR. GitHub then merges it only after the required backend and frontend checks pass (branch protection on main). All update types are auto-merged — a bump that breaks the build simply never satisfies the checks and stays open.
  • A least-privilege permissions: block (contents: write, pull-requests: write) replaces the broad default token.
  • Drops the third-party action (and with it, the check_suite / status triggers the old approach needed).
  • Other information:

    • Requires one repo setting: enable Settings → General → "Allow auto-merge" (currently off), otherwise gh pr merge --auto errors. I could not toggle this myself (shared-repo setting). CLI equivalent: gh api -X PATCH repos/JabRef/cloudref -F allow_auto_merge=true.
    • This makes the open Dependabot PR Bump pascalgn/automerge-action from 0.8.4 to 0.16.4 #597 (bump pascalgn/automerge-action to 0.16.4) obsolete; it can be closed.
    • Safety now rests entirely on the required checks. Since the frontend has no runtime tests, a bump that compiles but changes behaviour would still merge — worth keeping in mind, though that matches the requested "merge all updates" policy.

Replace the third-party pascalgn/automerge-action, which merges based on
GitHub's mergeable state and does not reliably wait for status checks, with
GitHub's native auto-merge:

  - `gh pr merge --auto` enables auto-merge, so every Dependabot PR merges only
    once the required `backend` and `frontend` checks pass (branch protection
    on main). Safety comes from the required checks rather than from the merge
    tooling, and a bump that breaks the build is held back automatically.
  - A least-privilege `permissions:` block replaces the broad default token.

Note: this requires the repository setting "Allow auto-merge" (Settings ->
General) to be enabled, otherwise `gh pr merge --auto` errors. It also makes
the open Dependabot PR bumping pascalgn/automerge-action obsolete.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant