From 73613ec886587ef055308ec5775373352bc6a706 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:24:09 +0100 Subject: [PATCH 1/7] ci: add semver filtering to Dependabot auto-merge (patch/minor only) --- .github/workflows/dependabot-auto-merge.yml | 32 +++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..26085a8 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,32 @@ +name: Dependabot Auto-Merge + +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Approve patch and minor updates + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Auto-merge patch and minor updates + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From be2f9439d081d2fa2635adf495b17d04aa2b6aa3 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:27:59 +0100 Subject: [PATCH 2/7] ci: configure Dependabot version updates targeting develop --- .github/dependabot.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..2fae858 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +version: 2 +updates: + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + target-branch: "develop" + open-pull-requests-limit: 5 + groups: + minor-and-patch: + update-types: + - "minor" + - "patch" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + target-branch: "develop" From 450c9cf7d34262ec7a06d196d6ed8ae9001bfd44 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:39:57 +0100 Subject: [PATCH 3/7] ci: add pull_request_target trigger for Dependabot CI compatibility --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 12f534b..ba78e1c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,8 +4,12 @@ on: branches: [develop] pull_request: branches: [develop, main] + pull_request_target: + branches: [develop, main] jobs: build-and-test: + if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]' uses: fireflyframework/.github/.github/workflows/go-ci.yml@main with: go-version: '1.25' + checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} From d8b2af2ec9181876874b5f77dce744fdc4388b2e Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:51:24 +0100 Subject: [PATCH 4/7] ci: revert ci.yml to original triggers (pull_request_target moved to separate file) --- .github/workflows/ci.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ba78e1c..12f534b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,12 +4,8 @@ on: branches: [develop] pull_request: branches: [develop, main] - pull_request_target: - branches: [develop, main] jobs: build-and-test: - if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]' uses: fireflyframework/.github/.github/workflows/go-ci.yml@main with: go-version: '1.25' - checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} From 9c44b1b7469f31bf1fa396d3eaa7e6683f35465a Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:54:41 +0100 Subject: [PATCH 5/7] ci: add separate Dependabot CI workflow using pull_request_target --- .github/workflows/dependabot-ci.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/workflows/dependabot-ci.yml diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml new file mode 100644 index 0000000..8783ec4 --- /dev/null +++ b/.github/workflows/dependabot-ci.yml @@ -0,0 +1,11 @@ +name: Dependabot CI +on: + pull_request_target: + branches: [develop, main] +jobs: + build-and-test: + if: github.actor == 'dependabot[bot]' + uses: fireflyframework/.github/.github/workflows/go-ci.yml@main + with: + go-version: '1.25' + checkout-ref: ${{ github.event.pull_request.head.sha }} From 6fc613426c64a91fbe29530eba7958ae4cdb5bb4 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:59:34 +0100 Subject: [PATCH 6/7] ci: inline Dependabot CI build (cross-repo reusable workflows unsupported for Dependabot) --- .github/workflows/dependabot-ci.yml | 47 ++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml index 8783ec4..6606a9b 100644 --- a/.github/workflows/dependabot-ci.yml +++ b/.github/workflows/dependabot-ci.yml @@ -2,10 +2,49 @@ name: Dependabot CI on: pull_request_target: branches: [develop, main] + +permissions: + contents: read + statuses: write + jobs: build-and-test: + runs-on: ubuntu-latest if: github.actor == 'dependabot[bot]' - uses: fireflyframework/.github/.github/workflows/go-ci.yml@main - with: - go-version: '1.25' - checkout-ref: ${{ github.event.pull_request.head.sha }} + steps: + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Set up Go 1.25 + uses: actions/setup-go@v5 + with: + go-version: '1.25' + + - name: Vet + run: go vet ./... + + - name: Test + run: go test -v -race -coverprofile=coverage.out ./... + + - name: Build + run: go build -o /dev/null . + + - name: Report build status + if: always() + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + if [ "${{ job.status }}" = "success" ]; then + STATE="success" + DESC="Dependabot build passed" + else + STATE="failure" + DESC="Dependabot build failed" + fi + gh api "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \ + -f state="$STATE" \ + -f context="build-and-test / build-and-test" \ + -f description="$DESC" \ + -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" From 8ef78d41b95728923a36a1437ebbb0ffad165267 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 20:34:34 +0100 Subject: [PATCH 7/7] ci: grant actions:write permission in caller for DAG orchestrator