Add Dependabot auto-merge#54
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1a8790b055
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| pr = json.loads(Path("pr.json").read_text(encoding="utf-8")) | ||
| author = (pr.get("author") or {}).get("login") | ||
| labels = {item.get("name", "") for item in pr.get("labels", [])} | ||
| should_merge = author == "dependabot[bot]" and not pr.get("isDraft") |
There was a problem hiding this comment.
This merge guard only checks PR author/draft state, so a workflow_run from an older successful CI run can merge a newer PR head that was pushed afterward and has not passed CI yet. In practice, if Dependabot updates the same PR again before this workflow executes, gh pr merge will act on the current head, not the workflow_run.head_sha that produced the success event, which can allow unvalidated dependency updates to land. Include headRefOid in gh pr view and require it to match github.event.workflow_run.head_sha before setting should_merge=true.
Useful? React with 👍 / 👎.
1 participant
Enable automatic merging for Dependabot PRs after CI succeeds, and suppress semver major dependency updates for safety.