fix(dependabot): only comment on major bump when PR is opened#4
Merged
Conversation
The shared Dependabot auto-merge workflow runs on both `opened` and `synchronize`. The major-bump "requires manual review" comment step had no event guard, so every re-push/rebase of a Dependabot branch posted another duplicate comment. Gate that step to `github.event.action == 'opened'`. The label step is left running on synchronize on purpose: `gh pr edit --add-label` is idempotent and wrapped in `|| true`, so it doubles as a retry safety net without adding noise. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The shared⚠️ Major version bump detected — requires manual review" comment step had no event guard, so every re-push / rebase of a Dependabot branch posted another duplicate comment.
Dependabot Auto-Mergeworkflow (injected org-wide via thedependabot-automergeruleset) runs on bothopenedandsynchronize. The "This surfaced on
realrate/RealRate-Private#2226(adocker/metadata-actionmajor bump), where the major PR accumulated several identical warning comments across pushes.Fix
Gate the comment step to
github.event.action == 'opened'so it fires once, when the PR is first opened.The label step is intentionally left running on
synchronize:gh pr edit --add-labelis idempotent and wrapped in|| true, so keeping it doubles as a retry safety net (if labelling transiently failed onopened, a later sync re-applies it) without producing visible noise.No change to behavior for patch/minor bumps (still auto-approve + auto-merge) or to the manual-review policy for majors (still comment + label, no auto-merge).
Blast radius
This workflow is injected into every targeted repo, so the fix benefits all of them. Verifiable on the next major Dependabot bump in any repo: exactly one warning comment, no repeats on re-push.
Related
realrate/RealRate-Private#2226— where this was diagnosed; that PR also removes RealRate-Private's redundant local copy of this workflow so it relies solely on this injected one (the local + injected double-run was posting two comments onopened).realrate/RealRate-Private#2229— separate proposal for gated auto-merge of major bumps.🤖 Generated with Claude Code