[ci] Auto-merge workerd Dependabot updates when CI is green#13852
Open
[ci] Auto-merge workerd Dependabot updates when CI is green#13852
Conversation
workerd ships a release every weekday, producing a steady stream of mechanical Dependabot PRs in the workerd-and-workers-types group. These PRs require no human review when CI passes, so enable GitHub auto-merge for them. Required status checks remain the gate — a failing build still parks the PR for a human.
|
Contributor
|
SHA pin matches. Let me review the workflow one more time carefully:
The workflow is clean, follows existing patterns in the repo, and the security model is sound (double-gated, no checkout, SHA-pinned action). LGTM |
workers-devprod
requested review from
a team and
dario-piotrowicz
and removed request for
a team
Contributor
|
Codeowners approval required for this PR:
Show detailed file reviewers
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Add a verification step that ensures the PR contains exactly the two expected commits (signed Dependabot commit + changeset commit from miniflare-dependabot-versioning-prs.yml) and only touches the expected fileset. If a maintainer pushes a follow-up commit, verification fails and any previously-enabled auto-merge is cancelled.
create-cloudflare
@cloudflare/kv-asset-handler
miniflare
@cloudflare/pages-shared
@cloudflare/unenv-preset
@cloudflare/vite-plugin
@cloudflare/vitest-pool-workers
@cloudflare/workers-editor-shared
@cloudflare/workers-utils
wrangler
commit: |
| # may not have run yet, in which case we bail and wait for the | ||
| # `synchronize` event from its push. | ||
| if ! echo "$files_json" | jq -e '.files[] | select(.path | startswith(".changeset/dependabot-update-"))' > /dev/null; then | ||
| fail "changeset file not yet present; waiting for changeset job to push it" |
Contributor
There was a problem hiding this comment.
Will these fail statements actually cause the job to fail?
Contributor
There was a problem hiding this comment.
In which case the "disable auto-merge" step may not run?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
workerd ships a release every weekday, producing a steady stream of mechanical Dependabot PRs in the
workerd-and-workers-typesgroup (e.g. #13841). When CI is green these PRs require no human review, so this enables GitHub auto-merge for them. Required status checks remain the gate — a failing build still parks the PR for a human.Implementation notes:
pull_request_targetto match the existingminiflare-dependabot-versioning-prs.ymlandc3-dependabot-versioning-prs.ymlworkflows.github.event.pull_request.user.login == 'dependabot[bot]'anddependency-group == 'workerd-and-workers-types', so it never auto-merges anything else.actions/checkoutstep — PR-controlled code never touches the elevated token.dependabot/fetch-metadatais SHA-pinned (passespnpm check:workflows).Prerequisites for this to take effect (require a repo admin):
mainshould already require the relevant status checks; this PR does not change them.The existing
miniflare-dependabot-versioning-prs.ymlalready auto-generates the changeset on these PRs, so once auto-merge is enabled the loop should be fully closed.main. Behavior is gated by two conditions (actoranddependency-group) and any failure mode degrades to "auto-merge not enabled" — no destructive path.