Add auto-depenabot workflow#122
Conversation
This workflow uses the new GitHub App for gettingt the credentials. Signed-off-by: Leandro Lucarella <luca-frequenz@llucax.com>
github-actions
Bot
added
the
part:tooling
|
This is a test for frequenz-floss/frequenz-repo-config-python#508. |
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow intended to automatically approve and merge Dependabot pull requests using a GitHub App token.
Changes:
- Introduce
.github/workflows/auto-dependabot.yamlworkflow to generate a GitHub App installation token. - Use
frequenz-floss/dependabot-auto-approveto auto-approve and auto-merge Dependabot PRs and apply a label.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| name: Auto-merge Dependabot PR | ||
|
|
||
| on: | ||
| pull_request: |
There was a problem hiding this comment.
This workflow is triggered on pull_request, but Dependabot-triggered workflows do not receive repository secrets. As a result, secrets.FREQUENZ_AUTO_DEPENDABOT_APP_* will be unavailable and the GitHub App token generation step will fail. Use pull_request_target (and keep the workflow from checking out/running PR code) so secrets are accessible in the base repo context, similar to .github/workflows/labeler.yml.
| pull_request: | |
| pull_request_target: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened |
There was a problem hiding this comment.
This is actually a fair point, and I think we need to use pull_request_target in here as suggested. This workflow is not checking-out code, so it should be safe to use pull_request_target as we do in the labeler workflow as copilot suggests. I will submit a fix.
Marenz
left a comment
Marenz
left a comment
There was a problem hiding this comment.
Would the real ubuntu-slim, please stand up, please stand up
This workflow uses the new GitHub App for gettingt the credentials.