From c5465f4ca59e2e7b4d9fa6967960a2a3210c71ff Mon Sep 17 00:00:00 2001 From: Bibek Chaudhary Date: Wed, 1 Jul 2026 11:38:00 +0545 Subject: [PATCH 1/6] Enable Dependabot auto-merge (config + caller workflow) Add .github/dependabot.yml (pip for setup.py + github-actions, weekly, target develop) and a thin caller of the org reusable auto-merge workflow at .github/workflows/dependabot-automerge.yaml. The repo's dependabot-automerge ruleset already requires a workflow at that path; without a local workflow file the required check was never produced, so Dependabot PRs would be blocked. This adds it. Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 32 +++++++++++++++++++++ .github/workflows/dependabot-automerge.yaml | 20 +++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependabot-automerge.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..ae25a46 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,32 @@ +# Dependabot version updates. Patch/minor bumps that pass CI are approved and +# auto-merged by the Dependabot Auto-Merge workflow; major bumps are labelled +# `needs-manual-review` for a human. +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "pip" # setup.py at repo root + directory: "/" + schedule: + interval: "weekly" + target-branch: "develop" + labels: + - "dependencies" + cooldown: + default-days: 7 # fallback for anything not specified below + semver-patch-days: 7 # patch updates must be 7 days old + semver-minor-days: 7 # minor updates must be 7 days old + semver-major-days: 14 # major updates must be 14 days old (extra caution) + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + target-branch: "develop" + labels: + - "dependencies" + cooldown: + default-days: 7 + semver-patch-days: 7 + semver-minor-days: 7 + semver-major-days: 14 diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml new file mode 100644 index 0000000..cc7edbd --- /dev/null +++ b/.github/workflows/dependabot-automerge.yaml @@ -0,0 +1,20 @@ +name: Dependabot Auto-Merge + +# Thin caller of the org-wide reusable workflow. Approves + enables auto-merge +# for patch/minor bumps; comments + labels `needs-manual-review` for major. +# Must live at this path so the `dependabot-automerge` ruleset's required +# workflow check is produced for Dependabot PRs. + +on: + pull_request_target: + types: [opened, synchronize] + +permissions: + contents: write + pull-requests: write + issues: write + +jobs: + auto-merge: + uses: realrate/.github/.github/workflows/dependabot-automerge.yaml@main + secrets: inherit From b2ed804a80868c45ce971d756c2146a384b067ee Mon Sep 17 00:00:00 2001 From: Bibek Chaudhary Date: Wed, 1 Jul 2026 11:46:03 +0545 Subject: [PATCH 2/6] Fix Dependabot config: drop semver cooldown on github-actions github-actions (and docker) ecosystems only support cooldown.default-days, not the semver-*-days keys. Keep default-days; remove the unsupported semver-specific cooldown so Dependabot accepts the config. Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ae25a46..45f0853 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -26,7 +26,4 @@ updates: labels: - "dependencies" cooldown: - default-days: 7 - semver-patch-days: 7 - semver-minor-days: 7 - semver-major-days: 14 + default-days: 7 # github-actions cooldown supports default-days only From 27eea0c73e590fd482fd1208958e0f44574c675f Mon Sep 17 00:00:00 2001 From: Bibek Chaudhary Date: Wed, 1 Jul 2026 11:52:45 +0545 Subject: [PATCH 3/6] Harden auto-merge caller: guard on Dependabot actor + restrict branch Address review feedback: add a job-level 'if: github.actor == dependabot[bot]' guard so inherited secrets are never passed to the reusable workflow for non-Dependabot (incl. fork) PRs, and restrict the pull_request_target trigger to the default branch. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/dependabot-automerge.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index cc7edbd..4130607 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -8,6 +8,7 @@ name: Dependabot Auto-Merge on: pull_request_target: types: [opened, synchronize] + branches: [develop] permissions: contents: write @@ -16,5 +17,9 @@ permissions: jobs: auto-merge: + # Defence in depth: the reusable workflow already gates its steps on the + # Dependabot actor, but guard the caller too so inherited secrets are never + # passed to the reusable workflow for non-Dependabot (incl. fork) PRs. + if: ${{ github.actor == 'dependabot[bot]' }} uses: realrate/.github/.github/workflows/dependabot-automerge.yaml@main secrets: inherit From b0e0f402de6ffecae2eeac99e15d3dea48fb524a Mon Sep 17 00:00:00 2001 From: Bibek Chaudhary Date: Wed, 1 Jul 2026 11:57:54 +0545 Subject: [PATCH 4/6] Guard auto-merge on PR author, not github.actor Address re-review: github.actor is the user who triggered the event and can be a maintainer on a rebase/synchronize of the Dependabot branch, which would wrongly skip the job (and leave the ruleset-required check in a non-passing state). Guard on github.event.pull_request.user.login, which can't be forged, so secrets stay away from non-Dependabot/fork PRs while the job still runs for every Dependabot-authored PR. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/dependabot-automerge.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml index 4130607..fab99c8 100644 --- a/.github/workflows/dependabot-automerge.yaml +++ b/.github/workflows/dependabot-automerge.yaml @@ -17,9 +17,11 @@ permissions: jobs: auto-merge: - # Defence in depth: the reusable workflow already gates its steps on the - # Dependabot actor, but guard the caller too so inherited secrets are never - # passed to the reusable workflow for non-Dependabot (incl. fork) PRs. - if: ${{ github.actor == 'dependabot[bot]' }} + # Guard on the PR *author*, not github.actor: github.actor is the user who + # triggered the event and can be a maintainer on a rebase/synchronize of the + # Dependabot branch, which would wrongly skip the job. The author can't be + # forged, so this still keeps inherited secrets away from non-Dependabot + # (incl. fork) PRs while running for every Dependabot-authored PR. + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} uses: realrate/.github/.github/workflows/dependabot-automerge.yaml@main secrets: inherit From db6ddfb4c379d8ace370ebb04c857601c61250c3 Mon Sep 17 00:00:00 2001 From: Bibek Chaudhary Date: Wed, 1 Jul 2026 14:40:40 +0545 Subject: [PATCH 5/6] Drop caller workflow: org ruleset injects the auto-merge workflow The org dependabot-automerge ruleset injects .github's Dependabot Auto-Merge workflow into every repo's PRs (required workflows can't be reusable, so per-repo callers are both unnecessary and invalid). Keep only dependabot.yml here; the auto-merge logic is provided org-wide. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/dependabot-automerge.yaml | 27 --------------------- 1 file changed, 27 deletions(-) delete mode 100644 .github/workflows/dependabot-automerge.yaml diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml deleted file mode 100644 index fab99c8..0000000 --- a/.github/workflows/dependabot-automerge.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: Dependabot Auto-Merge - -# Thin caller of the org-wide reusable workflow. Approves + enables auto-merge -# for patch/minor bumps; comments + labels `needs-manual-review` for major. -# Must live at this path so the `dependabot-automerge` ruleset's required -# workflow check is produced for Dependabot PRs. - -on: - pull_request_target: - types: [opened, synchronize] - branches: [develop] - -permissions: - contents: write - pull-requests: write - issues: write - -jobs: - auto-merge: - # Guard on the PR *author*, not github.actor: github.actor is the user who - # triggered the event and can be a maintainer on a rebase/synchronize of the - # Dependabot branch, which would wrongly skip the job. The author can't be - # forged, so this still keeps inherited secrets away from non-Dependabot - # (incl. fork) PRs while running for every Dependabot-authored PR. - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} - uses: realrate/.github/.github/workflows/dependabot-automerge.yaml@main - secrets: inherit From 9bb49b75856a062bbb20fdf26b3be3df65117015 Mon Sep 17 00:00:00 2001 From: Bibek Chaudhary Date: Fri, 3 Jul 2026 16:50:06 +0545 Subject: [PATCH 6/6] Re-trigger checks (inject Dependabot Auto-Merge required workflow) The current head was pushed while the org 'require workflows to pass' rule was temporarily disabled, so the required Dependabot Auto-Merge workflow never ran on it. An empty commit fires a fresh synchronize so the injected workflow runs and skips (non-Dependabot PR), satisfying the required check. Co-Authored-By: Claude Opus 4.8