Dependabot approval workflow updates#6112
Merged
beets merged 14 commits intodatacommonsorg:masterfrom Mar 24, 2026
Merged
Conversation
### Summary This PR refactors the Dependabot auto-merge workflow to use a deterministic state machine, removing the previous reliance on time-based polling. The previous logic used a 24-hour `updatedAt` threshold to guess the state of a PR, which could lead to stalled pipelines if a PR encountered transient errors or merge conflicts. This update directly evaluates GitHub's CI and merge states to accurately process the queue. ### Key Changes - **Explicit State Management**: The workflow now parses the `statusCheckRollup` and `mergeStateStatus` fields from the GitHub API using `jq` to determine a PR's exact status. - **Permanent Isolation for Failures**: If a PR fails its tests (returns `FAILURE` or `ERROR`), the script automatically applies a `failing` label and completely ignores it in future runs. This prevents broken PRs from repeatedly jamming the active queue. - **Handling Merge Conflicts**: PRs with upstream base conflicts (status `DIRTY`) are now explicitly tagged with a `merge-conflict` label and safely bypassed. - **Manual Overrides**: Added an `ignore` label. Developers can manually apply this tag via the GitHub UI to force the workflow to indefinitely bypass a specific PR and unlock the queue. - **Improved Logging**: The pipeline lock check now prints the exact URL of the PR currently holding the lock, rather than just returning the active queue length, which drastically simplifies debugging. ### Developer Interventions - **To retry a failed PR**: Remove the `failing` or `merge-conflict` label and comment `@dependabot rebase`. The workflow will pick it back up on the next run. - **To skip a PR entirely**: Add the `ignore` label. - **To bypass the 7-day wait**: Manually approve and merge the PR through the GitHub UI.
Contributor
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR refactors the Dependabot auto-merge pipeline to resolve critical queue-jamming bugs.
Previously, the
approve-and-merge-7-daysjob onmasterimplemented a 7-day wait period and a sequential active queue lock (autoMergeRequest != null), but it lacked any mechanism to handle persistent errors. If a Dependabot PR encountered failing tests or upstream merge conflicts, it would indefinitely block the entire active queue.This update overhauls the workflow to function as a resilient State Machine, aggressively identifying edge cases via the GitHub GraphQL API to automatically unlock the pipeline.
What This Fixes
statusCheckRollupnatively. If a running test returnsFAILUREorERROR, the workflow automatically applies afailinglabel and ignores the branch moving forward, fully preventing broken updates from stalling the active queue indefinitely.mergeStateStatus. Operations identifying asDIRTYare immediately explicitly tagged asmerge-conflictand dropped from the queue.gh pr list --limitparameter from100to1000. This prevents GitHub's nativecreatedAtdescending sort order from silently truncating the oldest target PRs when clearing massive backlogs.Structural Enhancements
Fetch,Isolate Conflicted,Isolate Failing,Evaluate Queue Lock,Dispatch Target). This offers instant visibility into the exact step of the state machine directly from the GitHub Actions UI.$ALL_PRS_JSONpayload (/tmp/dependabot_prs.json), meaning the script isolates all 4 validation states using exactly 1 API call per 30 minutes.ignorelabel. Developers can now explicitly append anignoretag via the GitHub UI at any time to forcefully drop any PR from the workflow's memory natively.Developer Interventions
failingormerge-conflictlabel on the branch and comment@dependabot rebase. The active queue will sequentially process it again on the next run.ignorelabel.