Skip to content

fix(ci): restore Dependabot auto-merge on master#889

Open
TimeToBuildBob wants to merge 3 commits into
ActivityWatch:masterfrom
TimeToBuildBob:bob/fix-dependabot-automerge-pat
Open

fix(ci): restore Dependabot auto-merge on master#889
TimeToBuildBob wants to merge 3 commits into
ActivityWatch:masterfrom
TimeToBuildBob:bob/fix-dependabot-automerge-pat

Conversation

@TimeToBuildBob

Copy link
Copy Markdown
Contributor

Summary

  • replace the stale AWBOT_GH_TOKEN + ridedott/merge-me-action path in dependabot-automerge.yml
  • enable native GitHub auto-merge for the triggering Dependabot PR after a successful Build workflow run
  • keep the workflow guarded to open Dependabot pull requests only, using squash merge like before

Why

Dependabot Auto-merge is currently failing on master with Bad credentials because the PAT-backed action path is dead. The PR checks are already green (for example #888), but auto-merge never gets enabled.

Replace the stale PAT-based merge-me action with native GitHub auto-merge enablement on successful Dependabot PR builds.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 35.59%. Comparing base (e83db8e) to head (b9fa436).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files
@@           Coverage Diff           @@
##           master     #889   +/-   ##
=======================================
  Coverage   35.59%   35.59%           
=======================================
  Files          36       36           
  Lines        2152     2152           
  Branches      422      417    -5     
=======================================
  Hits          766      766           
+ Misses       1365     1307   -58     
- Partials       21       79   +58     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@greptile-apps

greptile-apps Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

Replaces the broken AWBOT_GH_TOKEN + ridedott/merge-me-action path with a self-contained actions/github-script step that calls the native GitHub GraphQL enablePullRequestAutoMerge mutation using the workflow's own GITHUB_TOKEN.

  • Removes the third-party action and its associated PAT dependency; the new step is SHA-pinned (actions/github-script@ed597411) and uses only the built-in token with explicit contents: write / pull-requests: write permissions.
  • Adds defence-in-depth validation inside the script (empty pull_requests guard, re-check that the PR author is dependabot[bot], open + non-draft state, idempotent skip when auto-merge is already on) on top of the existing job-level if guards.

Confidence Score: 5/5

Safe to merge — replaces a dead third-party action with a small, self-contained script that uses only the built-in GITHUB_TOKEN.

The change removes the broken PAT-backed path and uses the native GitHub GraphQL mutation, which is correctly guarded at both the job level and inside the script. No secrets are introduced, the action is SHA-pinned, and the permissions declared match exactly what the mutation requires.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/dependabot-automerge.yml Rewrites the auto-merge step: drops the dead PAT-backed action, adds top-level permissions, and implements a GitHub Script step with layered guards and a GraphQL enablePullRequestAutoMerge mutation.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant D as Dependabot
    participant GH as GitHub
    participant B as Build Workflow
    participant AM as Auto-merge Workflow
    participant API as GitHub API

    D->>GH: Opens/updates PR
    GH->>B: Triggers Build workflow (pull_request event)
    B-->>GH: workflow_run completed (conclusion: success)
    GH->>AM: Fires workflow_run event

    Note over AM: Job-level if guard

    AM->>AM: Extract pull_requests from payload
    AM->>API: "REST GET /pulls/{prNumber}"
    API-->>AM: PR details

    AM->>AM: Validate PR author, state, draft

    alt auto_merge already enabled
        AM->>AM: core.info + return (idempotent)
    else auto_merge not yet enabled
        AM->>API: GraphQL enablePullRequestAutoMerge (SQUASH)
        API-->>AM: clientMutationId
        AM->>AM: core.info PR enabled
    end
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant D as Dependabot
    participant GH as GitHub
    participant B as Build Workflow
    participant AM as Auto-merge Workflow
    participant API as GitHub API

    D->>GH: Opens/updates PR
    GH->>B: Triggers Build workflow (pull_request event)
    B-->>GH: workflow_run completed (conclusion: success)
    GH->>AM: Fires workflow_run event

    Note over AM: Job-level if guard

    AM->>AM: Extract pull_requests from payload
    AM->>API: "REST GET /pulls/{prNumber}"
    API-->>AM: PR details

    AM->>AM: Validate PR author, state, draft

    alt auto_merge already enabled
        AM->>AM: core.info + return (idempotent)
    else auto_merge not yet enabled
        AM->>API: GraphQL enablePullRequestAutoMerge (SQUASH)
        API-->>AM: clientMutationId
        AM->>AM: core.info PR enabled
    end
Loading

Reviews (5): Last reviewed commit: "fix(ci): pin actions/github-script to co..." | Re-trigger Greptile

Comment thread .github/workflows/dependabot-automerge.yml Outdated
Add an in-script null guard for context.payload.workflow_run.pull_requests
before indexing [0].number, mirroring the job-level expression. Addresses
Greptile 4/5 review feedback on aw-webui#889.

Co-authored-by: Bob <bot@time.to.build>
@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

@greptileai review

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

Addressed Greptile's 4/5 nit about the missing in-script null guard on pull_requests[0].

Pushed a052d93 on bob/fix-dependabot-automerge-pat: extracts the array to a named local, returns early with a core.info log when pull_requests is missing or empty, and only then dereferences [0].number. The job-level if expression is unchanged; this is purely a defense-in-depth mirror inside the script body. Re-triggered Greptile for a fresh 5/5.

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

Ready for Merge ✅

  • ✅ CI: All checks green (tests, lints, Greptile review)
  • ✅ Greptile: 5/5 (P2 nit addressed in a052d93)
  • ✅ No conflicts, mergeable clean state

This PR restores Dependabot auto-merge on master by:

  1. Replacing stale AWBOT_GH_TOKEN + ridedott/merge-me-action
  2. Enabling native GitHub auto-merge for Dependabot PRs after successful builds
  3. Maintaining squash-merge strategy with Dependabot-only guard

Ready for a maintainer to merge.

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

@greptileai review

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

Ready for Merge by Maintainer ✅

  • ✅ CI: All checks green (tests, lints, Greptile review)
  • ✅ Greptile: 5/5 confidence
  • ✅ No merge conflicts, mergeable clean state

This PR restores Dependabot auto-merge on master by replacing the stale PAT-based workflow with native GitHub auto-merge. All reviews and feedback addressed.

Waiting for a maintainer with merge permissions to squash-merge.

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

I recorded work for this monitoring item, but the worker finished before posting the thread update. The delivery guard caught the missing reply and is closing the loop now.

Evidence: commit: abc3bb364f chore(journal): aw-webui#889 Greptile thread closed — null guard reply

Session: fa0b79ec-7984-5b6c-a91f-f78c597c6d7b

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

@greptileai review

1 similar comment
@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

@greptileai review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants