From fb50bf389e12df8f19006fc89974e7b856dc021f Mon Sep 17 00:00:00 2001 From: Albert Mavashev Date: Sun, 19 Apr 2026 12:42:07 -0400 Subject: [PATCH] chore(ci): auto-merge Dependabot patch-level bumps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a workflow that auto-merges Dependabot PRs classified as `version-update:semver-patch`. Minor and major updates still require human review — those are the ones that realistically carry breaking-change risk (Spring 4.x, Jedis 7.x, etc.). Merge is gated by `--auto`, which waits for the repo's required status checks (CI + CodeQL) to pass before completing. Without the branch protection recently added on main, this wouldn't be safe — a failing patch bump would merge immediately. Reduces the weekly Dependabot manual-merge grind without opening a hole for anything higher-risk than a point release. --- .github/workflows/dependabot-auto-merge.yml | 23 +++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..0ffd45a --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,23 @@ +name: Dependabot auto-merge + +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + automerge: + runs-on: ubuntu-latest + if: github.event.pull_request.user.login == 'dependabot[bot]' + steps: + - name: Fetch Dependabot metadata + id: meta + uses: dependabot/fetch-metadata@v2 + + - name: Enable auto-merge for patch updates + if: steps.meta.outputs.update-type == 'version-update:semver-patch' + run: gh pr merge --auto --merge "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}