From 6ec7d4bcfc44c79aa2fa733d4aeeac4322add1fc Mon Sep 17 00:00:00 2001 From: Oliver Kopp Date: Wed, 15 Jul 2026 02:24:13 +0200 Subject: [PATCH] Modernize Dependabot auto-merge Replace the third-party pascalgn/automerge-action, which merges based on GitHub's mergeable state and does not reliably wait for status checks, with GitHub's native auto-merge: - `gh pr merge --auto` enables auto-merge, so every Dependabot PR merges only once the required `backend` and `frontend` checks pass (branch protection on main). Safety comes from the required checks rather than from the merge tooling, and a bump that breaks the build is held back automatically. - A least-privilege `permissions:` block replaces the broad default token. Note: this requires the repository setting "Allow auto-merge" (Settings -> General) to be enabled, otherwise `gh pr merge --auto` errors. It also makes the open Dependabot PR bumping pascalgn/automerge-action obsolete. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/automerge.yml | 34 ++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index 5cc5767f..ca04aa7d 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -1,20 +1,24 @@ -name: Automerge Pull Requests -on: - pull_request: - check_suite: - types: - - completed - status: {} +name: Dependabot auto-merge + +on: pull_request + +permissions: + contents: write + pull-requests: write jobs: - automerge: - name: Automerge Dependabot - runs-on: ubuntu-latest + dependabot: + # Restrict to Dependabot's own pull requests. Only those runs receive the + # write-scoped token the merge step below relies on. if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest steps: - - name: Merge pull requests - uses: pascalgn/automerge-action@v0.8.4 + - name: Enable auto-merge for Dependabot PRs + # Turns on GitHub's native auto-merge for every Dependabot update. The + # PR still merges only after the required "backend" and "frontend" + # checks pass (branch protection on main), so a bump that breaks the + # build is held back automatically. + run: gh pr merge --auto --squash "$PR_URL" env: - MERGE_METHOD: "squash" - MERGE_LABELS: "" - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}