Skip to content

[ci] Auto-merge workerd Dependabot updates when CI is green#13852

Merged
petebacondarwin merged 3 commits into
mainfrom
penalosa/auto-merge-workerd
May 21, 2026
Merged

[ci] Auto-merge workerd Dependabot updates when CI is green#13852
petebacondarwin merged 3 commits into
mainfrom
penalosa/auto-merge-workerd

Conversation

@penalosa
Copy link
Copy Markdown
Contributor

@penalosa penalosa commented May 7, 2026

workerd ships a release every weekday, producing a steady stream of mechanical Dependabot PRs in the workerd-and-workers-types group (e.g. #13841). When CI is green these PRs require no human review, so this enables GitHub auto-merge for them. Required status checks remain the gate — a failing build still parks the PR for a human.

Implementation notes:

  • Triggers on pull_request_target to match the existing miniflare-dependabot-versioning-prs.yml and c3-dependabot-versioning-prs.yml workflows.
  • Gated by both github.event.pull_request.user.login == 'dependabot[bot]' and dependency-group == 'workerd-and-workers-types', so it never auto-merges anything else.
  • No actions/checkout step — PR-controlled code never touches the elevated token.
  • dependabot/fetch-metadata is SHA-pinned (passes pnpm check:workflows).

Prerequisites for this to take effect (require a repo admin):

  1. Repo settings → "Allow auto-merge" must be enabled.
  2. Branch protection on main should already require the relevant status checks; this PR does not change them.

The existing miniflare-dependabot-versioning-prs.yml already auto-generates the changeset on these PRs, so once auto-merge is enabled the loop should be fully closed.

  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because: this is a CI-only workflow that can only be exercised by a real Dependabot PR against main. Behavior is gated by two conditions (actor and dependency-group) and any failure mode degrades to "auto-merge not enabled" — no destructive path.
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: internal CI automation, no user-facing surface.

@penalosa
[ci] Auto-merge workerd Dependabot updates when CI is green
ba3ce38 
workerd ships a release every weekday, producing a steady stream of
mechanical Dependabot PRs in the workerd-and-workers-types group. These
PRs require no human review when CI passes, so enable GitHub auto-merge
for them. Required status checks remain the gate — a failing build still
parks the PR for a human.
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 7, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 4e1221c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk May 7, 2026
@ask-bonk
Copy link
Copy Markdown
Contributor

ask-bonk Bot commented May 7, 2026

SHA pin matches. Let me review the workflow one more time carefully:

  1. Trigger: pull_request_target with appropriate event types — consistent with existing workflows.
  2. Permissions: contents: write and pull-requests: write — minimal and correct for enabling auto-merge.
  3. Job condition: Gated on dependabot[bot] actor.
  4. Step 1: dependabot/fetch-metadata SHA-pinned correctly to v2.3.0.
  5. Step 2: Second gate on dependency-group == 'workerd-and-workers-types', uses gh pr merge --auto --squash.
  6. No checkout: Correctly avoids checking out PR code, so no code execution with elevated token.
  7. Token usage: Uses secrets.GITHUB_TOKEN (not a PAT), appropriate for this use case.

The workflow is clean, follows existing patterns in the repo, and the security model is sound (double-gated, no checkout, SHA-pinned action).

LGTM

github run

@penalosa penalosa added the no-changeset-required Skip PR check for valid changeset label May 7, 2026
@penalosa penalosa marked this pull request as ready for review May 7, 2026 15:05
@penalosa penalosa requested a review from workers-devprod as a code owner May 7, 2026 15:05
@workers-devprod workers-devprod requested review from a team and dario-piotrowicz and removed request for a team May 7, 2026 15:06
@workers-devprod
Copy link
Copy Markdown
Contributor

workers-devprod commented May 7, 2026

Codeowners approval required for this PR:

  • @cloudflare/wrangler
Show detailed file reviewers
  • .github/workflows/dependabot-auto-merge.yml: [@cloudflare/wrangler]

devin-ai-integration[bot]
devin-ai-integration Bot reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 3 additional findings.

Open in Devin Review

@penalosa
Verify commit shape and changed files before enabling auto-merge
6f75524 
Add a verification step that ensures the PR contains exactly the two
expected commits (signed Dependabot commit + changeset commit from
miniflare-dependabot-versioning-prs.yml) and only touches the expected
fileset. If a maintainer pushes a follow-up commit, verification fails
and any previously-enabled auto-merge is cancelled.
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 7, 2026
edited
Loading

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13852

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13852

miniflare

npm i https://pkg.pr.new/miniflare@13852

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13852

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13852

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13852

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13852

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13852

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@13852

wrangler

npm i https://pkg.pr.new/wrangler@13852

commit: 4e1221c

petebacondarwin
petebacondarwin reviewed May 7, 2026
View reviewed changes
Comment thread .github/workflows/dependabot-auto-merge.yml
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@workers-devprod
Copy link
Copy Markdown
Contributor

workers-devprod commented May 21, 2026
edited
Loading

Codeowners approval required for this PR:

  • ✅ @cloudflare/wrangler
Show detailed file reviewers

@petebacondarwin @devin-ai-integration
Apply suggestion from @devin-ai-integration[bot]
4e1221c 
Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com>
petebacondarwin
petebacondarwin approved these changes May 21, 2026
View reviewed changes
Comment thread .github/workflows/dependabot-auto-merge.yml
workers-devprod
workers-devprod approved these changes May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@workers-devprod workers-devprod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@github-project-automation github-project-automation Bot moved this from Untriaged to Approved in workers-sdk May 21, 2026
@petebacondarwin petebacondarwin enabled auto-merge (squash) May 21, 2026 14:43
@petebacondarwin petebacondarwin merged commit bbb2363 into main May 21, 2026
55 checks passed
@petebacondarwin petebacondarwin deleted the penalosa/auto-merge-workerd branch May 21, 2026 14:50
@github-project-automation github-project-automation Bot moved this from Approved to Done in workers-sdk May 21, 2026
@petebacondarwin petebacondarwin mentioned this pull request May 22, 2026
Merged
5 tasks
penalosa added a commit that referenced this pull request May 28, 2026
@penalosa @petebacondarwin @devin-ai-integration
[ci] Auto-merge workerd Dependabot updates when CI is green (#13852)
58bef2c 
Co-authored-by: Pete Bacon Darwin <pete@bacondarwin.com>
Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@petebacondarwin petebacondarwin petebacondarwin approved these changes

@workers-devprod workers-devprod workers-devprod approved these changes

@dario-piotrowicz dario-piotrowicz Awaiting requested review from dario-piotrowicz dario-piotrowicz was automatically assigned from cloudflare/wrangler

Assignees

No one assigned

Labels

no-changeset-required Skip PR check for valid changeset

Projects

workers-sdk
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@penalosa @workers-devprod @petebacondarwin