ci: auto-merge Dependabot PRs once all CI passes

[JohnMcLear]

As discussed in #148 — enables our standard policy of auto-merging Dependabot PRs once CI is green, now that this repo has sufficient test coverage (vitest + PHPUnit + Psalm + lint).

What it does

Adds .github/workflows/dependabot-automerge.yml:

• Triggers on workflow_run completion of each CI workflow (Node, Lint PHP, Lint info.xml, PHPUnit, Psalm).
• Gated to dependabot[bot]-authored PRs with a successful run.
• Uses pascalgn/automerge-action (SHA-pinned), which re-checks the PR's full combined status before squash-merging — so it waits for all CI workflows to pass, not just the one that triggered it.

Why this shape

The repo has no branch protection / required status checks, so GitHub-native gh pr merge --auto would merge immediately rather than waiting for CI. The workflow_run + automerge-action approach is self-contained and genuinely waits for every check to go green. Concurrency is collapsed per branch so the several CI completions don't spawn parallel merge attempts.

No semver filtering — CI gates breakage, consistent with the rest of the Etherpad ecosystem.

🤖 Generated with Claude Code

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[qodo-free-for-open-source-projects]

PR Summary by Qodo

CI: auto-merge Dependabot PRs after full CI suite passes
⚙️ Configuration changes ✨ Enhancement 🕐 10-20 Minutes

Description

• Add a GitHub Actions workflow to auto-merge Dependabot PRs after CI succeeds.
• Trigger on CI workflow_run completions and gate to dependabot[bot]-authored PR events.
• Use SHA-pinned pascalgn/automerge-action with squash merge and retry to wait for all checks.

Diagram

graph TD
  A["CI workflows"] --> B{workflow_run
completed}
  B --> C["Dependabot Automerge
workflow"] --> D{Gate:
Dependabot + success}
  D --> E["pascalgn/
automerge-action"] --> F["Squash merge PR"]
  E --> G["Re-check combined
PR status"]
  subgraph Legend
    direction LR
    _proc["Workflow/job"] ~~~ _dec{"Decision"}
  end

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. GitHub native auto-merge + required status checks

• ➕ Uses first-party auto-merge UI/API and avoids third-party action supply-chain risk
• ➕ Relies on branch protection to guarantee checks are complete/green before merge
• ➖ Requires configuring branch protection + required checks (explicitly not present today)
• ➖ More repo admin/config overhead; can drift across repos if not standardized

2. pull_request_target workflow that polls/checks combined status and merges via gh/GitHub API

• ➕ Avoids third-party automerge action; logic remains in-repo
• ➕ Can enforce additional policies (labels, dependency type, semver constraints)
• ➖ More custom code to maintain and secure (token scopes, PR trust model)
• ➖ Easy to get subtle security issues wrong with pull_request_target

3. Dependabot auto-merge via label-based policy (if supported by repo tooling)

• ➕ Simple policy surface (e.g., apply label to allow merge)
• ➕ Can allow humans to opt-in/opt-out per PR
• ➖ Still typically needs branch protection/required checks to ensure it truly waits for CI
• ➖ Adds operational steps (labeling) unless fully automated

Recommendation: Given the repo intentionally has no branch protection/required checks, the chosen workflow_run + pascalgn/automerge-action approach is the most reliable way to ensure merges only happen after the full combined status is green. Keep the action SHA-pinned (as done) and periodically review permissions/conditions; if the repo later adopts required checks, consider switching to native auto-merge to remove the third-party dependency.

Files changed (1) +54 / -0

Other (1) +54 / -0

dependabot-automerge.ymlAdd workflow_run-based Dependabot automerge workflow +54/-0

Add workflow_run-based Dependabot automerge workflow

• Introduces a new GitHub Actions workflow that triggers on completion of key CI workflows and auto-merges successful Dependabot PRs. Uses concurrency to collapse multiple triggering CI completions per branch and runs a SHA-pinned automerge action configured for squash merges with retry to wait for all checks.

.github/workflows/dependabot-automerge.yml

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

1. Reruns block automerge 🐞 Bug ☼ Reliability

Description

The automerge job only runs when github.event.workflow_run.actor.login is dependabot[bot], so
any successful CI run whose actor is not Dependabot (for example, a manual re-run) will never
trigger automerge even if the PR is Dependabot-authored. This can leave Dependabot PRs stuck
unmerged despite all checks being green.

Code

.github/workflows/dependabot-automerge.yml[R39-42]

+    if: >
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.actor.login == 'dependabot[bot]'

Evidence

The new workflow gates execution on github.event.workflow_run.actor.login == 'dependabot[bot]',
which ties automerge eligibility to the actor of the completed CI run rather than the PR author. The
upstream CI workflows it listens to are pull_request workflows, so a successful run can be
associated with the PR even when the run actor is not Dependabot.

.github/workflows/dependabot-automerge.yml[37-43]
.github/workflows/node.yml[7-10]
.github/workflows/lint-php.yml[8-11]
.github/workflows/lint-info-xml.yml[7-10]
.github/workflows/phpunit.yml[8-11]
.github/workflows/psalm.yml[8-11]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The automerge workflow currently decides whether a PR is "Dependabot-authored" by checking `github.event.workflow_run.actor.login`. For `workflow_run`, this is the actor associated with the CI run that completed, which can differ from the PR author (e.g., when someone re-runs CI). As a result, Dependabot PRs can fail to automerge even after CI is green.

## Issue Context
This workflow is triggered by `workflow_run` for CI workflows that run on `pull_request`. The event payload also includes `workflow_run.pull_requests[]`, which can be used to identify the actual PR and its author.

## Fix Focus Areas
- .github/workflows/dependabot-automerge.yml[39-42]

## Suggested change
- Replace the `workflow_run.actor.login` check with a check against the associated PR’s author, e.g. `github.event.workflow_run.pull_requests[0].user.login == 'dependabot[bot]'`.
- Add a defensive guard to ensure `pull_requests` is non-empty before indexing (or use an expression that safely handles 0 PRs).
- (Optional hardening) Also verify the PR head repo is this repo (not a fork) using the `pull_requests[0].head.repo.full_name` field if present.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---