Skip to content

chore: add Dependabot config + auto-merge for patch updates #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
cl77 wants to merge 3 commits into from
Closed

chore: add Dependabot config + auto-merge for patch updates #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
eb911c9
chore: add Dependabot config (scheduled + grouped security updates)
cl77 Apr 15, 2026
5d743d9
chore: auto-merge Dependabot patch PRs when CI passes
cl77 Apr 15, 2026
e06893d
chore: refresh managed Dependabot config
cl77 May 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# managed-by: seven-io/isms-tools/scripts/dependabot-rollout.sh
# Dependabot config: scheduled + grouped security updates. Do not edit by hand;
# changes should be made in the script and re-rolled out with FORCE_UPDATE=true.
# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
cooldown:
default-days: 5
semver-major-days: 14
semver-minor-days: 7
semver-patch-days: 3
groups:
security-all:
applies-to: security-updates
patterns: ["*"]
minor-patch:
applies-to: version-updates
patterns: ["*"]
update-types: ["minor", "patch"]
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 2
cooldown:
default-days: 5
semver-major-days: 14
semver-minor-days: 7
semver-patch-days: 3
groups:
actions-all:
patterns: ["*"]
26 changes: 26 additions & 0 deletions .github/workflows/dependabot-auto-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Dependabot auto-merge
# pull_request_target is required so that Dependabot-triggered runs get a token
# with write permissions. Safe here because we never check out PR code — we only
# call the gh CLI on the PR metadata.
on: pull_request_target

permissions:
contents: write
pull-requests: write

jobs:
dependabot:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Fetch metadata
id: metadata
uses: dependabot/fetch-metadata@v2
- name: Enable auto-merge for patch-only updates (version + security)
if: >-
steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
steps.metadata.outputs.update-type == 'security-update:semver-patch'
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}