Skip to content

ci: auto-merge Dependabot patch and minor updates#64

Merged
Reefact merged 1 commit into
mainfrom
claude/cicd-audit-4crp4d
Jul 9, 2026
Merged

ci: auto-merge Dependabot patch and minor updates#64
Reefact merged 1 commit into
mainfrom
claude/cicd-audit-4crp4d

Conversation

@Reefact

@Reefact Reefact commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Summary

Add the auto-merge half (palier A) of the Dependabot automation policy: Dependabot patch/minor updates get GitHub auto-merge enabled and merge on their own once required checks pass; major updates stay open for human review.

Prerequisite (repo settings, not code): this workflow only enables auto-merge. GitHub merges only when the branch's required status checks pass, so a branch-protection rule on main marking the CI checks as required — plus "Allow auto-merge" — must be in place for it to be safe. See the checklist in the review thread / discussion.

Type of change

  • Bug fix
  • New feature
  • Breaking change
  • Refactoring
  • Analyzer / diagnostic change
  • Tests
  • Documentation
  • Build / CI / tooling

Changes

  • Add .github/workflows/dependabot-automerge.yml:
    • Runs on pull_request to main, only when the actor is dependabot[bot].
    • Reads the update type via dependabot/fetch-metadata@v2.
    • For semver-patch and semver-minor, enables auto-merge (gh pr merge --auto --merge, matching the repo's merge-commit style).
    • semver-major falls through — no auto-merge, left for human review.
  • Least-privilege permissions: top-level contents: read; the job widens only to contents: write + pull-requests: write to enable auto-merge.

Testing

  • dotnet build FirstClassErrors.sln — not applicable (no source or build change).
  • dotnet test FirstClassErrors.sln — not run.
  • Analyzer tests (FirstClassErrors.Analyzers.UnitTests) — not run.
  • dependabot-automerge.yml YAML parsed and validated (trigger, actor guard, update-type condition, permissions). Real behaviour is exercised by GitHub when the next Dependabot PR is opened.

Documentation

  • No documentation change required

Related issues

None


Generated by Claude Code

Add a dependabot-automerge workflow (palier A of the Dependabot
automation policy). For pull requests raised by Dependabot it reads the
update type via dependabot/fetch-metadata and, for semver patch and minor
updates, enables GitHub auto-merge so they merge once required checks
pass. Major updates fall through and stay open for human review.

The workflow only enables auto-merge; the branch's required status checks
remain the actual safety gate, so a branch-protection rule on main marking
the CI checks as required is a prerequisite for safe behaviour.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AbXi2ZEaUFeFWodNxdY6Zk
@Reefact Reefact merged commit 04c9e77 into main Jul 9, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants