ci: auto-merge Dependabot patch/minor PRs#152
Conversation
Adds a workflow that auto-enables squash-merge on Dependabot PRs when the update is patch or minor. Major updates are left for human review since they may introduce breaking changes. Mechanics: - Triggers on pull_request events from dependabot[bot] only. - Uses dependabot/fetch-metadata (SHA-pinned to v2.4.0) to extract update-type from the PR title/body. - Calls `gh pr merge --auto --squash`, which queues the merge to fire once required status checks (test 3.12 / test 3.13 / drift-check) pass. If a check fails, the PR is not merged. No approval step is needed: branch protection on main has no required reviewers (solo-maintainer repo), only required status checks. Permissions: contents: write + pull-requests: write are the minimum needed for `gh pr merge --auto`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Code Review — PR #152: Dependabot Auto-Merge WorkflowOverviewAdds What's Good
Concern:
|
Summary
Adds a workflow that auto-enables squash-merge on Dependabot PRs for patch and minor updates. Major bumps are left for human review.
Why
Six Dependabot PRs (#145–#150) piled up because there was no auto-merge wiring. All had green CI but were waiting for a human to click merge. This workflow handles the routine patch/minor cases so they flow through automatically.
Mechanics
pull_requestevents fromdependabot[bot]only.dependabot/fetch-metadata@v2.4.0(SHA-pinned) to extract the semver update type.gh pr merge --auto --squash, which queues the merge until required status checks pass (test 3.12,test 3.13,drift-check). Failed checks → no merge.Why no auto-approve step
Branch protection on
mainrequires status checks but not reviewers (solo-maintainer repo).gh pr merge --autoonly needs CI green to fire — no review step needed.Test plan
🤖 Generated with Claude Code