Add Dependabot auto-merge workflows (ROSA-745)

[MitaliBhalla]

Summary

Dependabot auto-merge for routine updates (ROSA-745 / ROSAENG-751), aligned with openshift/backplane-cli (SREP-2438).

Changes

• dependabot-auto-merge.yml: auto-merge patch/minor/digest after required CI; majors manual. Uses pull_request_target (no PR checkout), validated GraphQL/REST/comment responses.
• branch-protection-check.yml: weekly verification of Dependabot config and workflows.

Notes

• dependabot[bot] + openshift org only.
• Requires ci/prow/* checks (DPP-20685).

Test plan

• Required CI green
• Review YAML

Made with Cursor

Summary by CodeRabbit

• Chores
  • Added a new scheduled (and manually triggerable) repository configuration verification workflow to validate Dependabot and workflow settings.
  • Added an automated Dependabot handling workflow that fetches metadata, selectively enables auto-merge for safe updates (patch/minor/digest), and posts contextual comments for major-version updates or on failures.

[coderabbitai]

Walkthrough

Adds a scheduled/manual branch-protection check that validates Dependabot config files, and a Dependabot auto-merge workflow that enables auto-merge for safe updates or posts/manual-review comments for major updates.

Changes

Dependabot Automation

Layer / File(s)	Summary
Branch Protection Check Workflow .github/workflows/branch-protection-check.yml	Validates on schedule or manual dispatch that .github/dependabot.yml and .github/workflows/dependabot-auto-merge.yml exist and conform to required YAML shapes and fields.
Auto-Merge Workflow Setup and Metadata .github/workflows/dependabot-auto-merge.yml	Defines pull_request_target trigger, permission scope, execution guard for Dependabot PRs, and fetches Dependabot metadata for update type detection.
Auto-Merge Decision Logic .github/workflows/dependabot-auto-merge.yml	For patch/minor/digest updates, enables auto-merge via GraphQL (SQUASH) and posts a structured comment on failure; for major updates, posts a manual-review comment. Final logging step reports decision.

Sequence Diagram

sequenceDiagram
  participant GitHub as GitHub (PR Event)
  participant Workflow as Auto-Merge Workflow
  participant Metadata as Dependabot Metadata
  participant REST as GitHub REST API
  participant GraphQL as GitHub GraphQL API
  
  GitHub->>Workflow: pull_request_target (Dependabot)
  Workflow->>Metadata: Fetch update type
  Metadata-->>Workflow: update type (patch/minor/digest/major)
  
  alt Patch/Minor/Digest Update
    Workflow->>REST: Get PR node_id
    REST-->>Workflow: node_id
    Workflow->>GraphQL: Enable autoMergeRequest (SQUASH)
    GraphQL-->>Workflow: Success or failure
    alt Enable Failed
      Workflow->>GitHub: Post comment with update details
    end
  else Major Version Update
    Workflow->>GitHub: Post comment requiring manual review
  end
  
  Workflow->>Workflow: Log auto-merge decision

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	PR adds Ginkgo e2e tests with hardcoded IPv4 CIDRs (10.0.0.0/8, 172.16.0.0/12) in aws_integration_test.go and helpers_test.go, plus requires AWS external connectivity via SDK calls.	Update tests to support IPv6: use correctCIDRFamily() or GetIPAddressFamily() to dynamically select IPv4/IPv6 CIDRs; add [Skipped:Disconnected] if AWS connectivity cannot be mocked; or use IPv4/IPv6-agnostic patterns.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding Dependabot auto-merge workflows. It is concise, specific, and directly reflects the core purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds only GitHub Actions workflow YAML files; no Ginkgo tests added. Repository uses standard Go testing framework, not Ginkgo. Check not applicable.
Test Structure And Quality	✅ Passed	PR adds GitHub Actions workflows (YAML files), not Ginkgo test code. The custom check targets Go test file quality, which is not applicable here.
Microshift Test Compatibility	✅ Passed	This PR adds only GitHub Actions workflow files (YAML), not e2e tests. The custom check only applies to new Ginkgo e2e tests, which are absent from this PR.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds GitHub Actions workflows (YAML files), not Ginkgo e2e tests. SNO compatibility check is inapplicable to workflow/infrastructure files.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only GitHub Actions workflow files for CI/CD automation, not Kubernetes manifests or operator code. No scheduling constraints or topology-dependent configurations are introduced.
Ote Binary Stdout Contract	✅ Passed	PR adds test files and workflows with proper logging: main.go uses ctrl.SetLogger(zap), BeforeSuite uses log.SetLogger(GinkgoLogr), subprocess stdout to GinkgoWriter. No stdout violations found.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign clcollins for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/branch-protection-check.yml:
- Around line 25-33: Replace the plain existence checks (the if [ -f
".github/dependabot.yml" ] and if [ -f
".github/workflows/dependabot-auto-merge.yml" ] branches and the grep -A 10
"package-ecosystem:" usage) with structural YAML validation: after confirming
the file exists, parse the YAML (using yq or a short python -c YAML load) and
assert required keys/values (for dependabot.yml ensure top-level fields like
version, updates/updates[].package-ecosystem, updates[].directory exist; for
dependabot-auto-merge workflow ensure on/jobs and the expected job names/steps
exist and that required trigger (e.g., pull_request or schedule) and
permissions/steps for automerge are present); if validation fails, print a clear
error and exit 1 so the job fails on malformed configs.

In @.github/workflows/dependabot-auto-merge.yml:
- Around line 4-5: The workflow currently triggers on pull_request_target with
types: [opened, synchronize, reopened, ready_for_review], causing the
major-update notice to be posted on every rerun; fix by either restricting the
trigger to only the initial open event (change types to [opened]) or keep the
current trigger set but add a dedupe check in the job that posts comments: in
the step that posts the Dependabot major-update comment, query existing PR
comments (using the same bot identity) and skip posting if a matching bot
comment already exists; look for the pull_request_target block and the step that
creates the comment to implement one of these fixes.
- Around line 87-105: The step currently prints "Auto-merge ENABLED" based
solely on the update-type even when the GraphQL mutation failed; instead capture
and persist the actual GraphQL mutation outcome (use the existing http_code and
/tmp/response.json produced by the curl call), set a boolean/variable (e.g.,
AUTO_MERGE_ENABLED) based on the graphql_auto_merge_ok "$http_code" check, and
use that variable to decide both the echo messages and the content passed to
post_issue_comment; also include or embed the actual /tmp/response.json (or a
parsed error message) in the log/posted comment so the real mutation result is
visible. Apply the same change to the other auto-merge block that currently
mirrors this behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c89cf215-2c55-4bc5-864e-066fbbf34e01

📥 Commits

Reviewing files that changed from the base of the PR and between 64a945f and c5f9d0e.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 125-134: The curl call that sets the existing variable must
validate the HTTP response before piping to jq: capture both the response body
and the HTTP status from the curl invocation used to fetch issue comments (the
block that defines existing via curl | jq), check the HTTP status is 200 (or in
2xx) before running jq on the body, and if not 200 log an error and exit or
retry; ensure you reference the same curl invocation and the existing variable
so you don't silently treat error responses as empty comment lists.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fb9a35aa-fca0-4001-8698-dfb67ea20e17

📥 Commits

Reviewing files that changed from the base of the PR and between c5f9d0e and 81b43eb.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/branch-protection-check.yml (2)

72-77: ⚡ Quick win

Consider validating explicit permissions in the auto-merge job.

When using pull_request_target, jobs inherit elevated write permissions by default. Security best practice is to explicitly declare required permissions following the principle of least privilege.

🔒 Suggested enhancement

 job = jobs["auto-merge"]
 if not isinstance(job, dict):
     fail("jobs.auto-merge must be a mapping")
+perms = job.get("permissions")
+if not isinstance(perms, dict):
+    fail("jobs.auto-merge must declare explicit permissions")
+required_perms = {"pull-requests", "contents"}
+if not required_perms.issubset(perms.keys()):
+    fail(f"jobs.auto-merge must declare permissions: {required_perms}")
 steps = job.get("steps")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/branch-protection-check.yml around lines 72 - 77, The
auto-merge job validation currently only checks that jobs["auto-merge"] is a
mapping and has steps; add a check that the job defines an explicit
"permissions" mapping and validate it is a dict (e.g., perms =
job.get("permissions")) and fail if missing or not a mapping; additionally
assert that it does not grant broad elevated write access (e.g., reject
wildcards or top-level "write" unless intentionally required) so the auto-merge
job follows least-privilege. Use the existing job/jobs["auto-merge"]/steps
symbols to locate where to insert this permission validation.

---

78-84: ⚡ Quick win

Validate that the fetch-metadata action is pinned to a specific version.

The validation checks for the presence of dependabot/fetch-metadata but doesn't verify it's pinned to a specific version or commit SHA. Using unpinned or loosely pinned action versions (e.g., @v1) is a supply chain security risk.

🔒 Suggested enhancement

 uses = [
     s.get("uses", "")
     for s in steps
     if isinstance(s, dict)
 ]
-if not any("dependabot/fetch-metadata" in u for u in uses):
-    fail("jobs.auto-merge must include dependabot/fetch-metadata")
+fetch_meta_uses = [u for u in uses if "dependabot/fetch-metadata" in u]
+if not fetch_meta_uses:
+    fail("jobs.auto-merge must include dependabot/fetch-metadata")
+# Verify it's pinned to a version or SHA (not just `@v1`, `@v2`, etc.)
+for u in fetch_meta_uses:
+    if "@" not in u:
+        fail(f"dependabot/fetch-metadata must be pinned: {u}")
+    # Check for specific version (vX.Y.Z) or SHA (40-char hex)
+    ref = u.split("@", 1)[1]
+    import re
+    if not (re.match(r"v\d+\.\d+\.\d+", ref) or re.match(r"[0-9a-f]{40}", ref)):
+        fail(f"dependabot/fetch-metadata should be pinned to vX.Y.Z or SHA, not: {ref}")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/branch-protection-check.yml around lines 78 - 84, The
current check only looks for "dependabot/fetch-metadata" in uses entries; update
the validation to require a pinned reference by checking that any uses string
contains "dependabot/fetch-metadata@" and that the suffix after '@' is a
specific pin (not a bare major tag like "v1" or empty). Modify the logic that
builds/inspects uses (the uses list and the final conditional) so it only passes
when a uses entry matches "dependabot/fetch-metadata@" followed by a commit SHA
or a full version (e.g., semver with major.minor.patch) rather than an unpinned
or loosely pinned ref. Ensure you still treat uses items that are dicts and
extract s.get("uses", "") as before.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/branch-protection-check.yml:
- Around line 72-77: The auto-merge job validation currently only checks that
jobs["auto-merge"] is a mapping and has steps; add a check that the job defines
an explicit "permissions" mapping and validate it is a dict (e.g., perms =
job.get("permissions")) and fail if missing or not a mapping; additionally
assert that it does not grant broad elevated write access (e.g., reject
wildcards or top-level "write" unless intentionally required) so the auto-merge
job follows least-privilege. Use the existing job/jobs["auto-merge"]/steps
symbols to locate where to insert this permission validation.
- Around line 78-84: The current check only looks for
"dependabot/fetch-metadata" in uses entries; update the validation to require a
pinned reference by checking that any uses string contains
"dependabot/fetch-metadata@" and that the suffix after '@' is a specific pin
(not a bare major tag like "v1" or empty). Modify the logic that builds/inspects
uses (the uses list and the final conditional) so it only passes when a uses
entry matches "dependabot/fetch-metadata@" followed by a commit SHA or a full
version (e.g., semver with major.minor.patch) rather than an unpinned or loosely
pinned ref. Ensure you still treat uses items that are dicts and extract
s.get("uses", "") as before.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0e36402e-cf20-4695-88dd-471bf1cc5d33

📥 Commits

Reviewing files that changed from the base of the PR and between 81b43eb and cd860d1.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[MitaliBhalla]

On hold — pausing this per-repo workflow rollout while we switch to the boilerplate / MintMaker (Renovate) path for ROSA-745. Please do not merge; we will close or reopen after the platform PR lands.