Add auto-approve and auto-merge for Dependabot PRs #211
Conversation
Signed-off-by: Mathias L. Baumann <mathias.baumann@frequenz.com>
github-actions
bot
added
part:tooling
There was a problem hiding this comment.
Pull Request Overview
This PR introduces an automated workflow for managing Dependabot pull requests. The workflow automatically approves, merges, and labels Dependabot PRs to streamline dependency updates.
Key changes:
- Adds a GitHub Actions workflow that triggers on all pull requests
- Configures automatic approval and merging for all Dependabot dependency updates
- Sets up appropriate permissions for the workflow to modify content and pull requests
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| runs-on: ubuntu-latest | ||
| if: github.actor == 'dependabot[bot]' | ||
| steps: | ||
| - uses: frequenz-floss/dependabot-auto-approve@v1 |
There was a problem hiding this comment.
Using a floating version tag (@v1) for a GitHub Action poses security risks. Pin to a specific commit SHA to ensure the workflow uses a known, immutable version. This prevents potential supply chain attacks if the action's v1 tag is moved to malicious code.
| - uses: frequenz-floss/dependabot-auto-approve@v1 | |
| - uses: frequenz-floss/dependabot-auto-approve@c2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2e2 |
There was a problem hiding this comment.
The source repo is under our control, so this adds convenience in staying major-version up-to-date
There was a problem hiding this comment.
I agree, no sense pinning it down further unless we see actual issues from now on.
There was a problem hiding this comment.
I disagree, I think pinning is a good practice no matter what, our own repo could also get somehow compromised, and speaking of the devil, dependabot will be there to keep us up to date.
There was a problem hiding this comment.
haha, the last argument is a pretty good one in that respect
3 participants
Uses our own fork.