chore: enable Dependabot auto-merge (patch/minor)#24
Conversation
Add a Dependabot auto-merge workflow (enables auto-merge once CI passes for patch and minor updates; major updates stay manual) and Dependabot config for this repo's ecosystems. Part of a fleet-wide rollout.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7bdc924abb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| patterns: ["*"] | ||
| update-types: ["minor", "patch"] | ||
| - package-ecosystem: "npm" | ||
| directory: "/" |
There was a problem hiding this comment.
Point npm Dependabot at the dashboard manifest
With directory: "/", this npm updater targets the root package manifest; GitHub documents directory as a single directory of manifests (https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#directories-or-directory). The React app that CI actually builds lives under dashboard/package.json (.github/workflows/ci.yml runs npm ci and npm run build with working-directory: dashboard), so dashboard dependencies will not receive Dependabot PRs while the root lockfile can. Configure the npm update for /dashboard as well, or use directories: ["/", "/dashboard"] if the root package should also be tracked.
Useful? React with 👍 / 👎.
| name: Dependabot auto-merge | ||
| # Auto-enable merge for Dependabot patch/minor updates once CI passes. Major | ||
| # updates are left for manual review. Standard GitHub pattern. | ||
| on: pull_request |
There was a problem hiding this comment.
Dependabot Token Stays Read-Only
When Dependabot opens a pull request, a pull_request workflow gets a read-only GITHUB_TOKEN even though this file asks for write permissions. The guarded job reaches gh pr merge --auto --squash, but the token cannot update the PR, so patch and minor Dependabot PRs are not put into auto-merge.
Context Used: Review OK Folio pull requests as a merge gate. Pri... (source)
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/dependabot-auto-merge.yml
Line: 4
Comment:
**Dependabot Token Stays Read-Only**
When Dependabot opens a pull request, a `pull_request` workflow gets a read-only `GITHUB_TOKEN` even though this file asks for write permissions. The guarded job reaches `gh pr merge --auto --squash`, but the token cannot update the PR, so patch and minor Dependabot PRs are not put into auto-merge.
**Context Used:** Review OK Folio pull requests as a merge gate. Pri... ([source](greptile.json))
How can I resolve this? If you propose a fix, please make it concise.| gomod-minor-patch: | ||
| patterns: ["*"] | ||
| update-types: ["minor", "patch"] | ||
| - package-ecosystem: "npm" |
There was a problem hiding this comment.
Dashboard Dependencies Are Uncovered
The only npm entry points at /, but the dashboard has its own dashboard/package.json and dashboard/package-lock.json, and CI installs that package from dashboard/. Dashboard dependency updates will not get Dependabot PRs, so this auto-merge rollout leaves the frontend dependency surface stale.
Context Used: Review OK Folio pull requests as a merge gate. Pri... (source)
Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/dependabot.yml
Line: 12
Comment:
**Dashboard Dependencies Are Uncovered**
The only npm entry points at `/`, but the dashboard has its own `dashboard/package.json` and `dashboard/package-lock.json`, and CI installs that package from `dashboard/`. Dashboard dependency updates will not get Dependabot PRs, so this auto-merge rollout leaves the frontend dependency surface stale.
**Context Used:** Review OK Folio pull requests as a merge gate. Pri... ([source](greptile.json))
How can I resolve this? If you propose a fix, please make it concise.
Fleet-wide rollout: a Dependabot auto-merge workflow (auto-merge on green CI for patch/minor; major stays manual) + Dependabot config for this repo's ecosystems (gomod npm github-actions). Also enabling repo
allow_auto_merge.Greptile Summary
This PR adds Dependabot update automation for the repository. The main changes are:
Confidence Score: 3/5
The Dependabot rollout does not yet reliably enable auto-merge for Dependabot pull requests and leaves the dashboard dependency surface outside update coverage.
pull_requesttrigger for Dependabot-authored pull requests, where the token cannot perform the requested pull request update..github/workflows/dependabot-auto-merge.yml and .github/dependabot.yml
What T-Rex did
Prompt To Fix All With AI
Reviews (1): Last reviewed commit: "chore: enable Dependabot auto-merge for ..." | Re-trigger Greptile
Context used: