Add Dependabot auto-merge workflows (ROSA-745)

[MitaliBhalla]

Summary

Enables Dependabot auto-merge for routine dependency updates (ROSA-745 / ROSAENG-755 / ROSAENG-751), aligned with the openshift/backplane-cli pilot (SREP-2438).

Changes

• dependabot-auto-merge.yml: enables auto-merge for patch, minor, and digest Dependabot PRs after required CI passes; major updates remain manual. Uses pull_request_target (no checkout of PR head) with GraphQL and comment API response validation.
• branch-protection-check.yml: weekly workflow to verify Dependabot config and auto-merge workflow are present.

Notes

• Restricted to dependabot[bot] and the openshift org.
• Relies on existing ci/prow/* required checks (DPP-20685).

Test plan

• Required CI checks pass on this PR
• Review workflow YAML

Made with Cursor

Summary by CodeRabbit

• Chores
  • Added an automated branch-protection validation workflow that runs on a weekly schedule and can be triggered manually to verify required Dependabot and auto-merge workflow configuration; it fails if required workflow files are missing and reports status.
  • Added an automated Dependabot handling workflow that attempts to auto-merge patch/minor/digest updates when criteria are met, posts summaries or warnings on failures, and requires manual review for major updates.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a weekly/manual branch-protection verification workflow and a Dependabot-targeted auto-merge workflow that enables squash auto-merge for patch/minor/digest updates via GraphQL and posts REST comment fallbacks (major updates block).

Changes

Dependency Management Automation via GitHub Actions

Layer / File(s)	Summary
Branch Protection Verification Setup .github/workflows/branch-protection-check.yml	Workflow runs weekly and on manual dispatch; sets contents: read permission; verifies .github/dependabot.yml and required workflow files, failing if missing and printing summaries.
Dependabot workflow definition & gating .github/workflows/dependabot-auto-merge.yml	Defines Dependabot Auto-Merge on pull_request_target, restricts runs to dependabot[bot] and openshift owner, sets explicit token permissions, and fetches Dependabot PR metadata and helper scripts.
Auto-merge decision and GraphQL/REST interactions .github/workflows/dependabot-auto-merge.yml	For patch/minor/digest updates: fetches PR node_id, calls GraphQL enablePullRequestAutoMerge with mergeMethod: SQUASH, logs on failure and posts a fallback PR comment. For semver-major: posts a "Major Version Update Detected" comment and fails the step on non-2xx response. Final decision summary is logged.

Sequence Diagram(s)

sequenceDiagram
  participant DependabotPR as Dependabot PR
  participant Actions as GitHub Actions (auto-merge job)
  participant REST as GitHub REST API
  participant GraphQL as GitHub GraphQL API

  DependabotPR->>Actions: trigger auto-merge job (pull_request_target)
  Actions->>REST: GET PR to obtain node_id
  REST-->>Actions: returns node_id
  Actions->>GraphQL: enablePullRequestAutoMerge(node_id, mergeMethod: SQUASH)
  GraphQL-->>Actions: success / error
  alt GraphQL failure
    Actions->>REST: POST warning comment to PR (includes update type, dependency, versions)
    REST-->>Actions: comment response
  else semver-major
    Actions->>REST: POST "Major Version Update Detected" comment (step fails on non-2xx)
    REST-->>Actions: comment response
  end
  Actions->>Actions: log decision summary (enabled / disabled)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add Dependabot auto-merge workflows (ROSA-745)' directly and clearly summarizes the main change: adding two new GitHub Actions workflows for Dependabot auto-merge functionality.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Not applicable. PR adds GitHub Actions workflows (YAML), not Ginkgo test files. Check validates Ginkgo test names in Go code only.
Test Structure And Quality	✅ Passed	This check evaluates Ginkgo test code quality. The PR adds only GitHub Actions workflow YAML files, not Ginkgo tests. The check is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only GitHub Actions workflow YAML files, not Ginkgo e2e tests. Custom check applies only to Ginkgo tests (It, Describe, Context, When). No tests present, so check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR contains only GitHub Actions workflow YAML files, not test code. Check only applies to Ginkgo tests (It(), Describe(), etc.).
Topology-Aware Scheduling Compatibility	✅ Passed	This PR adds only GitHub Actions workflow files (.github/workflows/*.yml), not Kubernetes manifests, operator code, or controllers. No scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	OTE Binary Stdout Contract check is inapplicable. PR contains only GitHub Actions YAML workflow files (.github/workflows/), not executable test code or OTE binary implementations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Not applicable. PR adds GitHub Actions workflow files (.github/workflows/*.yml), not Ginkgo e2e tests. Check targets Ginkgo test patterns which are absent.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 25-29: The "Check PR Labels" step (id: check-labels) currently
hardcodes the output has-required-labels=true which bypasses the label gating
used later; change this step to compute has-required-labels from the actual PR
labels (e.g., inspect github.event.pull_request.labels or use the GitHub CLI /
actions/github-script) and set the output to true only if the required labels
are present, so downstream checks that reference has-required-labels (the later
steps that gate auto-merge) behave correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c6de5b8f-2b31-4b07-9131-5b80a1fdcc0f

📥 Commits

Reviewing files that changed from the base of the PR and between 3c47bf4 and 08ee809.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 62-71: The curl call that sets PR_NODE_ID should also capture the
HTTP status and response body so we can detect 4xx/5xx errors and log them
instead of silently letting jq produce "null"; modify the curl invocation that
populates PR_NODE_ID to write the HTTP status (e.g., via --write-out
%{http_code}) and capture both the body and status into variables, then check
the status before running jq, and if it's not 200 log the HTTP status and body
(including GH_TOKEN redaction if needed) and exit non-zero; ensure the existing
PR_NODE_ID check remains but is only reached after a successful HTTP-status
check.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3bf5596c-12e8-48c0-ae95-afa93ea8f4d6

📥 Commits

Reviewing files that changed from the base of the PR and between 08ee809 and 0abc355.

📒 Files selected for processing (1)

• .github/workflows/dependabot-auto-merge.yml

[devppratik]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: devppratik, MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign theautoroboto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.