Skip to content
Dependabot Auto-Merge and Release

Dependabot Auto-Merge and Release #493

Sign in to view logs

Dependabot Auto-Merge and Release

Dependabot Auto-Merge and Release #493

Workflow file for this run

.github/workflows/dependabot-auto-merge.yml at 42a8cde
name: Dependabot Auto-Merge and Release
# =============================================================================
# Dependabot Auto-Merge Pipeline - The "Automation Enabler"
# =============================================================================
#
# 🎯 PURPOSE FOR LLMs:
# This workflow enables complete automation by auto-merging Dependabot PRs
# after validation and triggering automatic releases for dependency updates.
#
# 🧠 ARCHITECTURE OVERVIEW FOR AI ASSISTANTS:
# 1. [PHASE 1]: PR Validation - Validates Dependabot PRs meet auto-merge criteria
# 2. [PHASE 2]: CI Status Check - Ensures all required checks pass
# 3. [PHASE 3]: Auto-Merge Execution - Automatically merges approved dependency PRs
# 4. [PHASE 4]: Release Trigger - Triggers automated release after merge
# 5. [PHASE 5]: Notification - Notifies about successful automation
# 6. [PHASE 6]: Error Handling - Handles failures and provides manual fallback
#
# 🔧 HOW IT CONNECTS TO QUBINODE KVMHOST SETUP COLLECTION:
# - Enables: Complete dependency update automation without manual intervention
# - Validates: Dependency updates don't break existing functionality
# - Triggers: Automatic releases when dependencies are updated
# - Maintains: Project security and stability through automated updates
# - Implements: ADR-0009 and ADR-0014 automation strategies
# - Provides: Fallback to manual processes when automation fails
on:
pull_request_target:
types: [opened, synchronize, reopened]
check_suite:
types: [completed]
workflow_run:
workflows: ["CI/CD Pipeline"]
types: [completed]
permissions:
contents: write
pull-requests: write
checks: read
jobs:
auto-merge-dependabot:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Check PR details
id: pr-check
run: |
echo "🔍 Analyzing Dependabot PR for auto-merge eligibility..."
# Get PR number from event
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
PR_NUMBER="${{ github.event.pull_request.number }}"
else
# For workflow_run events, we need to find the PR
PR_NUMBER=$(gh pr list --author "app/dependabot" --state open --limit 1 --json number --jq '.[0].number')
fi
if [ -z "$PR_NUMBER" ] || [ "$PR_NUMBER" = "null" ]; then
echo "No Dependabot PR found"
echo "eligible=false" >> $GITHUB_OUTPUT
exit 0
fi
echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
# Get PR details
PR_DETAILS=$(gh pr view $PR_NUMBER --json title,labels,mergeable,state)
PR_TITLE=$(echo "$PR_DETAILS" | jq -r '.title')
PR_LABELS=$(echo "$PR_DETAILS" | jq -r '.labels[].name' | tr '\n' ' ')
PR_MERGEABLE=$(echo "$PR_DETAILS" | jq -r '.mergeable')
PR_STATE=$(echo "$PR_DETAILS" | jq -r '.state')
echo "PR #$PR_NUMBER: $PR_TITLE"
echo "Labels: $PR_LABELS"
echo "Mergeable: $PR_MERGEABLE"
echo "State: $PR_STATE"
# Check if PR is eligible for auto-merge
ELIGIBLE="false"
if [ "$PR_STATE" = "OPEN" ] && [ "$PR_MERGEABLE" = "MERGEABLE" ]; then
# Check for dependency labels
if echo "$PR_LABELS" | grep -q "dependencies"; then
ELIGIBLE="true"
echo "✅ PR eligible for auto-merge (dependency update)"
fi
fi
echo "eligible=$ELIGIBLE" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Wait for CI completion
if: steps.pr-check.outputs.eligible == 'true'
run: |
echo "⏳ Waiting for CI checks to complete..."
PR_NUMBER="${{ steps.pr-check.outputs.pr_number }}"
# Wait up to 20 minutes for checks to complete
for i in {1..40}; do
echo "Check attempt $i/40..."
# Get check status
CHECK_STATUS=$(gh pr checks $PR_NUMBER --json state,conclusion --jq '.[] | select(.state == "COMPLETED") | .conclusion' | sort | uniq)
PENDING_CHECKS=$(gh pr checks $PR_NUMBER --json state --jq '.[] | select(.state != "COMPLETED") | .state' | wc -l)
echo "Pending checks: $PENDING_CHECKS"
if [ "$PENDING_CHECKS" -eq 0 ]; then
echo "✅ All checks completed"
# Check if any checks failed
FAILED_CHECKS=$(echo "$CHECK_STATUS" | grep -v "SUCCESS" | wc -l)
if [ "$FAILED_CHECKS" -eq 0 ]; then
echo "✅ All checks passed"
echo "checks_passed=true" >> $GITHUB_OUTPUT
break
else
echo "❌ Some checks failed: $CHECK_STATUS"
echo "checks_passed=false" >> $GITHUB_OUTPUT
break
fi
fi
sleep 30
done
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Auto-merge Dependabot PR
if: steps.pr-check.outputs.eligible == 'true' && steps.wait-ci.outputs.checks_passed == 'true'
run: |
echo "🤖 Auto-merging Dependabot PR..."
PR_NUMBER="${{ steps.pr-check.outputs.pr_number }}"
# Enable auto-merge
gh pr merge $PR_NUMBER --auto --squash --delete-branch
echo "✅ Dependabot PR #$PR_NUMBER auto-merge enabled"
echo "🚀 Will trigger automated release after merge"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Handle failed checks
if: steps.pr-check.outputs.eligible == 'true' && steps.wait-ci.outputs.checks_passed == 'false'
run: |
echo "❌ CI checks failed - manual intervention required"
PR_NUMBER="${{ steps.pr-check.outputs.pr_number }}"
# Add comment to PR explaining the failure
gh pr comment $PR_NUMBER --body "🤖 **Auto-merge blocked due to failing CI checks**
This Dependabot PR cannot be auto-merged because some CI checks are failing.
Please review the failing checks and either:
1. Fix the underlying issues causing CI failures
2. Manually merge after reviewing the changes
3. Close this PR if the update is not needed
**Failing checks can be viewed in the PR checks tab.**
The automated release system will trigger once this PR is merged."
echo "📝 Added comment to PR explaining auto-merge failure"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}