Skip to content

fix(dependabot): only comment on major bump when PR is opened#4

Merged
bbkrr merged 1 commit into
mainfrom
fix/dependabot-major-comment-opened-only
Jul 10, 2026
Merged

fix(dependabot): only comment on major bump when PR is opened#4
bbkrr merged 1 commit into
mainfrom
fix/dependabot-major-comment-opened-only

Conversation

@bbkrr

@bbkrr bbkrr commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Problem

The shared Dependabot Auto-Merge workflow (injected org-wide via the dependabot-automerge ruleset) runs on both opened and synchronize. The "⚠️ Major version bump detected — requires manual review" comment step had no event guard, so every re-push / rebase of a Dependabot branch posted another duplicate comment.

This surfaced on realrate/RealRate-Private#2226 (a docker/metadata-action major bump), where the major PR accumulated several identical warning comments across pushes.

Fix

Gate the comment step to github.event.action == 'opened' so it fires once, when the PR is first opened.

The label step is intentionally left running on synchronize: gh pr edit --add-label is idempotent and wrapped in || true, so keeping it doubles as a retry safety net (if labelling transiently failed on opened, a later sync re-applies it) without producing visible noise.

No change to behavior for patch/minor bumps (still auto-approve + auto-merge) or to the manual-review policy for majors (still comment + label, no auto-merge).

Blast radius

This workflow is injected into every targeted repo, so the fix benefits all of them. Verifiable on the next major Dependabot bump in any repo: exactly one warning comment, no repeats on re-push.

Related

  • realrate/RealRate-Private#2226 — where this was diagnosed; that PR also removes RealRate-Private's redundant local copy of this workflow so it relies solely on this injected one (the local + injected double-run was posting two comments on opened).
  • realrate/RealRate-Private#2229 — separate proposal for gated auto-merge of major bumps.

🤖 Generated with Claude Code

The shared Dependabot auto-merge workflow runs on both `opened` and
`synchronize`. The major-bump "requires manual review" comment step had no
event guard, so every re-push/rebase of a Dependabot branch posted another
duplicate comment. Gate that step to `github.event.action == 'opened'`.

The label step is left running on synchronize on purpose: `gh pr edit
--add-label` is idempotent and wrapped in `|| true`, so it doubles as a
retry safety net without adding noise.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@bbkrr bbkrr merged commit 20b2045 into main Jul 10, 2026
1 check passed
@bbkrr bbkrr deleted the fix/dependabot-major-comment-opened-only branch July 10, 2026 04:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant