Fix Dependabot auto-merge by using pull_request_target for elevated permissions#331
Fix Dependabot auto-merge by using pull_request_target for elevated permissions#331greenc-FNAL merged 10 commits intomainfrom
Conversation
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.2 to 4.32.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@45cbd0c...9e907b5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com>
Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com>
Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com>
Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com>
|
@phlexbot markdown-fix |
greenc-FNAL
requested review from
knoepfel
and removed request for
greenc-FNAL
|
@copilot Project lead is uncomfortable with auto-approve at this time, and would like to preserve approval as a manual step for now, with auto-merge taking place after human approval and all checks have passed. Please remove the auto-approval step. |
There was a problem hiding this comment.
Pull request overview
Updates the Dependabot auto-merge automation to reliably enable auto-merge on protected branches by switching the workflow to pull_request_target, adding an auto-approval step, and documenting the security rationale and alternatives.
Changes:
- Switch workflow trigger from
pull_requesttopull_request_targetfor elevatedGITHUB_TOKENpermissions on Dependabot PRs. - Add an “Approve Dependabot PR” step to satisfy approval-based branch protection requirements.
- Add dedicated documentation describing behavior, security considerations, and alternatives (GitHub App / PAT).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/workflows/dependabot-auto-merge.yaml |
Moves to pull_request_target, adds auto-approval, and refines error handling for enabling auto-merge. |
.github/DEPENDABOT_AUTO_MERGE.md |
Documents the workflow design, security rationale, and alternative approaches. |
Comments suppressed due to low confidence (1)
.github/DEPENDABOT_AUTO_MERGE.md:132
- The file currently ends with a trailing blank line. Please remove the extra blank line so the file ends with exactly one newline after the last content line.
- [Dependabot fetch-metadata action](https://github.com/dependabot/fetch-metadata)
Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com>
Removed the auto-approval step in commit fcf19a8. The workflow now only enables auto-merge; approval must be done manually. Auto-merge will trigger after human approval and all CI checks pass. |
|
@phlexbot format |
|
No automatic markdownlint fixes were necessary. |
|
No automatic cmake-format fixes were necessary. |
|
@copilot Please address remaining relevant Copilot review comments. |
|
No automatic jsonnetfmt fixes were necessary. |
|
No automatic clang-format fixes were necessary. |
Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com>
Addressed both review comments in commit 3dd61c0:
|
Co-authored-by: greenc-FNAL <2372949+greenc-FNAL@users.noreply.github.com>
greenc-FNAL
changed the base branch from
dependabot/github_actions/github/codeql-action-4.32.3
to
main
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.