Skip to content

chore: enable Dependabot auto-merge (patch/minor)#24

Merged
kossoy merged 1 commit into
mainfrom
chore/dependabot-auto-merge
Jun 25, 2026
Merged

chore: enable Dependabot auto-merge (patch/minor)#24
kossoy merged 1 commit into
mainfrom
chore/dependabot-auto-merge

Conversation

@kossoy

@kossoy kossoy commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Fleet-wide rollout: a Dependabot auto-merge workflow (auto-merge on green CI for patch/minor; major stays manual) + Dependabot config for this repo's ecosystems (gomod npm github-actions). Also enabling repo allow_auto_merge.

Greptile Summary

This PR adds Dependabot update automation for the repository. The main changes are:

  • Weekly Dependabot groups for Go modules, root npm, and GitHub Actions.
  • A Dependabot-only workflow that fetches update metadata.
  • Auto-merge enablement for patch and minor dependency PRs.

Confidence Score: 3/5

The Dependabot rollout does not yet reliably enable auto-merge for Dependabot pull requests and leaves the dashboard dependency surface outside update coverage.

  • The auto-merge workflow uses a pull_request trigger for Dependabot-authored pull requests, where the token cannot perform the requested pull request update.
  • The Dependabot npm configuration covers only the repository root while the dashboard has its own package files and CI install path.
  • The remaining ecosystem grouping and patch/minor gating behavior is otherwise aligned with the stated automation contract.

.github/workflows/dependabot-auto-merge.yml and .github/dependabot.yml

T-Rex T-Rex Logs

What T-Rex did

  • The T-Rex workflow compared the dependabot-contract states by first observing that the base revision was missing .github/dependabot.yml and .github/workflows/dependabot-auto-merge.yml (harness exit code 1), and then verifying that the head state passes all ecosystem, schedule, grouping, actor guard, and update-type gating checks with exit code 0, noting that Dependabot token writability and dashboard npm coverage were deliberately not tested per the findings exclusion.

View all artifacts

T-Rex Ran code and verified through T-Rex

Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
.github/workflows/dependabot-auto-merge.yml:4
**Dependabot Token Stays Read-Only**

When Dependabot opens a pull request, a `pull_request` workflow gets a read-only `GITHUB_TOKEN` even though this file asks for write permissions. The guarded job reaches `gh pr merge --auto --squash`, but the token cannot update the PR, so patch and minor Dependabot PRs are not put into auto-merge.

### Issue 2 of 2
.github/dependabot.yml:12
**Dashboard Dependencies Are Uncovered**

The only npm entry points at `/`, but the dashboard has its own `dashboard/package.json` and `dashboard/package-lock.json`, and CI installs that package from `dashboard/`. Dashboard dependency updates will not get Dependabot PRs, so this auto-merge rollout leaves the frontend dependency surface stale.

Reviews (1): Last reviewed commit: "chore: enable Dependabot auto-merge for ..." | Re-trigger Greptile

Greptile also left 2 inline comments on this PR.

Context used:

  • Context used - Review OK Folio pull requests as a merge gate. Pri... (source)

Add a Dependabot auto-merge workflow (enables auto-merge once CI passes for
patch and minor updates; major updates stay manual) and Dependabot config for
this repo's ecosystems. Part of a fleet-wide rollout.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7bdc924abb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/dependabot.yml
patterns: ["*"]
update-types: ["minor", "patch"]
- package-ecosystem: "npm"
directory: "/"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Point npm Dependabot at the dashboard manifest

With directory: "/", this npm updater targets the root package manifest; GitHub documents directory as a single directory of manifests (https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#directories-or-directory). The React app that CI actually builds lives under dashboard/package.json (.github/workflows/ci.yml runs npm ci and npm run build with working-directory: dashboard), so dashboard dependencies will not receive Dependabot PRs while the root lockfile can. Configure the npm update for /dashboard as well, or use directories: ["/", "/dashboard"] if the root package should also be tracked.

Useful? React with 👍 / 👎.

@kossoy kossoy merged commit 4974a27 into main Jun 25, 2026
3 checks passed
name: Dependabot auto-merge
# Auto-enable merge for Dependabot patch/minor updates once CI passes. Major
# updates are left for manual review. Standard GitHub pattern.
on: pull_request

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Dependabot Token Stays Read-Only

When Dependabot opens a pull request, a pull_request workflow gets a read-only GITHUB_TOKEN even though this file asks for write permissions. The guarded job reaches gh pr merge --auto --squash, but the token cannot update the PR, so patch and minor Dependabot PRs are not put into auto-merge.

Context Used: Review OK Folio pull requests as a merge gate. Pri... (source)

Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/workflows/dependabot-auto-merge.yml
Line: 4

Comment:
**Dependabot Token Stays Read-Only**

When Dependabot opens a pull request, a `pull_request` workflow gets a read-only `GITHUB_TOKEN` even though this file asks for write permissions. The guarded job reaches `gh pr merge --auto --squash`, but the token cannot update the PR, so patch and minor Dependabot PRs are not put into auto-merge.

**Context Used:** Review OK Folio pull requests as a merge gate. Pri... ([source](greptile.json))

How can I resolve this? If you propose a fix, please make it concise.

Comment thread .github/dependabot.yml
gomod-minor-patch:
patterns: ["*"]
update-types: ["minor", "patch"]
- package-ecosystem: "npm"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Dashboard Dependencies Are Uncovered

The only npm entry points at /, but the dashboard has its own dashboard/package.json and dashboard/package-lock.json, and CI installs that package from dashboard/. Dashboard dependency updates will not get Dependabot PRs, so this auto-merge rollout leaves the frontend dependency surface stale.

Context Used: Review OK Folio pull requests as a merge gate. Pri... (source)

Prompt To Fix With AI
This is a comment left during a code review.
Path: .github/dependabot.yml
Line: 12

Comment:
**Dashboard Dependencies Are Uncovered**

The only npm entry points at `/`, but the dashboard has its own `dashboard/package.json` and `dashboard/package-lock.json`, and CI installs that package from `dashboard/`. Dashboard dependency updates will not get Dependabot PRs, so this auto-merge rollout leaves the frontend dependency surface stale.

**Context Used:** Review OK Folio pull requests as a merge gate. Pri... ([source](greptile.json))

How can I resolve this? If you propose a fix, please make it concise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant