From 30be09ce7ef3fca5a13f797bd50d7400b5223e73 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 18:52:39 +0100 Subject: [PATCH 1/8] ci: update Dependabot auto-merge workflow --- .github/workflows/dependabot-auto-merge.yml | 30 +++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..e96eda6 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,30 @@ +name: Dependabot Auto-Merge + +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Approve PR + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Auto-merge PR + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From a9deca5bbaacc894ea3922f08cf89f03dcff513f Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:23:31 +0100 Subject: [PATCH 2/8] ci: add semver filtering to Dependabot auto-merge (patch/minor only) --- .github/workflows/dependabot-auto-merge.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index e96eda6..26085a8 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -17,13 +17,15 @@ jobs: with: github-token: "${{ secrets.GITHUB_TOKEN }}" - - name: Approve PR + - name: Approve patch and minor updates + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' run: gh pr review --approve "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Auto-merge PR + - name: Auto-merge patch and minor updates + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} From 6234570d509f8156e522f06917e701640ea9ccbe Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:27:57 +0100 Subject: [PATCH 3/8] ci: configure Dependabot version updates targeting develop --- .github/dependabot.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..2fae858 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,18 @@ +version: 2 +updates: + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + target-branch: "develop" + open-pull-requests-limit: 5 + groups: + minor-and-patch: + update-types: + - "minor" + - "patch" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + target-branch: "develop" From 0d3f84a25eef0993234f103210db54e9fb7603a3 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:39:59 +0100 Subject: [PATCH 4/8] ci: add pull_request_target trigger for Dependabot CI compatibility --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 12f534b..ba78e1c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,8 +4,12 @@ on: branches: [develop] pull_request: branches: [develop, main] + pull_request_target: + branches: [develop, main] jobs: build-and-test: + if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]' uses: fireflyframework/.github/.github/workflows/go-ci.yml@main with: go-version: '1.25' + checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} From 9f46e4cce29d1f5dbe2cb6bb059b0218be24e7d5 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:51:25 +0100 Subject: [PATCH 5/8] ci: revert ci.yml to original triggers (pull_request_target moved to separate file) --- .github/workflows/ci.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ba78e1c..12f534b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,12 +4,8 @@ on: branches: [develop] pull_request: branches: [develop, main] - pull_request_target: - branches: [develop, main] jobs: build-and-test: - if: github.event_name \!= 'pull_request_target' || github.actor == 'dependabot[bot]' uses: fireflyframework/.github/.github/workflows/go-ci.yml@main with: go-version: '1.25' - checkout-ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} From 3e268bd0eb2dae53d3b6cd96de06ab6198c355cd Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:54:42 +0100 Subject: [PATCH 6/8] ci: add separate Dependabot CI workflow using pull_request_target --- .github/workflows/dependabot-ci.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/workflows/dependabot-ci.yml diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml new file mode 100644 index 0000000..8783ec4 --- /dev/null +++ b/.github/workflows/dependabot-ci.yml @@ -0,0 +1,11 @@ +name: Dependabot CI +on: + pull_request_target: + branches: [develop, main] +jobs: + build-and-test: + if: github.actor == 'dependabot[bot]' + uses: fireflyframework/.github/.github/workflows/go-ci.yml@main + with: + go-version: '1.25' + checkout-ref: ${{ github.event.pull_request.head.sha }} From df21be38b805dafe8c2c3e53543e497a974c620a Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 19:59:37 +0100 Subject: [PATCH 7/8] ci: inline Dependabot CI build (cross-repo reusable workflows unsupported for Dependabot) --- .github/workflows/dependabot-ci.yml | 47 ++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependabot-ci.yml b/.github/workflows/dependabot-ci.yml index 8783ec4..6606a9b 100644 --- a/.github/workflows/dependabot-ci.yml +++ b/.github/workflows/dependabot-ci.yml @@ -2,10 +2,49 @@ name: Dependabot CI on: pull_request_target: branches: [develop, main] + +permissions: + contents: read + statuses: write + jobs: build-and-test: + runs-on: ubuntu-latest if: github.actor == 'dependabot[bot]' - uses: fireflyframework/.github/.github/workflows/go-ci.yml@main - with: - go-version: '1.25' - checkout-ref: ${{ github.event.pull_request.head.sha }} + steps: + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Set up Go 1.25 + uses: actions/setup-go@v5 + with: + go-version: '1.25' + + - name: Vet + run: go vet ./... + + - name: Test + run: go test -v -race -coverprofile=coverage.out ./... + + - name: Build + run: go build -o /dev/null . + + - name: Report build status + if: always() + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + if [ "${{ job.status }}" = "success" ]; then + STATE="success" + DESC="Dependabot build passed" + else + STATE="failure" + DESC="Dependabot build failed" + fi + gh api "repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }}" \ + -f state="$STATE" \ + -f context="build-and-test / build-and-test" \ + -f description="$DESC" \ + -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" From 31b7c8a44ec164af87765878406a980f0f6dee20 Mon Sep 17 00:00:00 2001 From: Andres Contreras Date: Tue, 10 Feb 2026 20:34:35 +0100 Subject: [PATCH 8/8] ci: grant actions:write permission in caller for DAG orchestrator