Skip to content

ci: add Dependabot and automated dependency updates [ENG-11704] #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ryoppippi wants to merge 3 commits into
base: main
Choose a base branch
from
Open

ci: add Dependabot and automated dependency updates [ENG-11704] #262

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c0e3705
ci(deps): add Dependabot and automated dependency updates
ryoppippi Dec 23, 2025
41d4507
ci(nix): use setup-nix action for flake update workflow
ryoppippi Dec 23, 2025
a58e5bb
ci: pin GitHub Actions with pinact
ryoppippi Dec 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .github/dependabot.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
version: 2
updates:
# npm dependencies (pnpm compatible)
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
day: monday
time: '09:00'
timezone: Europe/London
open-pull-requests-limit: 10
commit-message:
prefix: 'chore(deps)'
labels:
- dependencies
groups:
# Group minor and patch updates together
minor-and-patch:
patterns:
- '*'
update-types:
- minor
- patch
# Ignore major updates for stability (review manually)
ignore:
- dependency-name: '*'
update-types:
- version-update:semver-major
Copy link

Copilot AI Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The update-types ignore pattern uses 'version-update:semver-major' format, but this doesn't match the format that Dependabot expects in the ignore section. According to Dependabot documentation, the ignore section should use 'major' instead of 'version-update:semver-major'. The correct format should be just 'major' in the update-types list under ignore.

Suggested change
- version-update:semver-major
- major

Copilot uses AI. Check for mistakes.

# GitHub Actions dependencies
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
day: monday
time: '09:00'
timezone: Europe/London
open-pull-requests-limit: 5
commit-message:
prefix: 'ci(deps)'
labels:
- dependencies
- ci
groups:
actions:
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Dec 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: GitHub Actions groups configuration is missing update-types filter and ignore block for major versions. Unlike the npm config which limits to minor/patch updates, this will group ALL update types including major versions together, potentially causing breaking changes to be auto-merged.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At .github/dependabot.yaml, line 45:

<comment>GitHub Actions groups configuration is missing `update-types` filter and `ignore` block for major versions. Unlike the npm config which limits to minor/patch updates, this will group ALL update types including major versions together, potentially causing breaking changes to be auto-merged.</comment>

<file context>
@@ -0,0 +1,47 @@
+      - dependencies
+      - ci
+    groups:
+      actions:
+        patterns:
+          - &#39;*&#39;
</file context>
Fix with Cubic

patterns:
- '*'
48 changes: 48 additions & 0 deletions .github/workflows/dependabot-auto-merge.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: Dependabot auto-merge

on:
pull_request:
types:
- opened
- synchronize
- reopened

permissions:
contents: write
pull-requests: write

jobs:
dependabot-auto-merge:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Wait for CI to pass
uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4
with:
ref: ${{ github.event.pull_request.head.sha }}
running-workflow-name: Dependabot auto-merge
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30

# Enable auto-merge for minor/patch updates
# GitHub will wait for required checks and 3-day delay before merging
- name: Enable auto-merge for minor/patch updates
if: steps.metadata.outputs.update-type != 'version-update:semver-major'
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Add comment about merge delay
if: steps.metadata.outputs.update-type != 'version-update:semver-major'
run: |
gh pr comment "$PR_URL" --body "🤖 Auto-merge enabled. This PR will be merged automatically after CI passes and the 3-day waiting period (configured in branch protection rules)."
Comment on lines +34 to +45
Copy link

Copilot AI Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The auto-merge will execute immediately if a PR is created, but the comment on line 45 states there's a "3-day waiting period (configured in branch protection rules)". However, the workflow doesn't enforce this delay - it just enables auto-merge which will merge as soon as CI passes. If a 3-day delay is required, it should be implemented in the workflow itself (e.g., checking the PR age before enabling auto-merge), or the comment should be updated to reflect the actual behavior that depends entirely on branch protection configuration.

Copilot uses AI. Check for mistakes.
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
63 changes: 63 additions & 0 deletions .github/workflows/nix-flake-update.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: 'Scheduled: Nix flake update'

on:
schedule:
# Run every Monday at 09:00 UTC (same as Dependabot)
- cron: '0 9 * * 1'
workflow_dispatch: # Allow manual trigger

permissions:
contents: write
pull-requests: write

jobs:
update-flake:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Setup Nix
uses: ./.github/actions/setup-nix
Copy link

Copilot AI Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using @main as the version reference is not recommended for GitHub Actions. This can lead to unexpected breaking changes when the action is updated. Consider pinning to a specific version tag or commit SHA for better stability and reproducibility.

Suggested change
uses: ./.github/actions/setup-nix
uses: DeterminateSystems/nix-installer-action@v12

Copilot uses AI. Check for mistakes.

- name: Update flake.lock
run: nix flake update

- name: Check if flake.lock changed
id: check-changes
run: |
if git diff --quiet flake.lock; then
echo "changed=false" >> $GITHUB_OUTPUT
else
echo "changed=true" >> $GITHUB_OUTPUT
fi

- name: Create Pull Request
id: create-pr
if: steps.check-changes.outputs.changed == 'true'
uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: 'chore(deps): update nix flake inputs'
title: 'chore(deps): update nix flake inputs'
body: |
## Summary
- Automated update of Nix flake inputs (`nixpkgs`, `flake-parts`)

## Test plan
- [ ] `nix flake check` passes in CI
- [ ] Development shell works correctly

---
🤖 This PR was automatically created by the scheduled Nix flake update workflow.
branch: chore/nix-flake-update
labels: |
dependencies
nix
delete-branch: true

Copy link

Copilot AI Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow enables auto-merge for the Nix flake update PR without any checks or conditions. Unlike the Dependabot auto-merge workflow which waits for CI to pass, this workflow immediately enables auto-merge right after creating the PR. Consider adding a wait-on-check step similar to the Dependabot workflow to ensure CI passes before enabling auto-merge.

Suggested change
- name: Wait for CI checks to pass
if: steps.create-pr.outputs.pull-request-number
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const prNumber = parseInt('${{ steps.create-pr.outputs.pull-request-number }}', 10);
// Get the PR to find the head SHA to check statuses on
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: prNumber,
});
const ref = pr.head.sha;
const timeoutMinutes = 60;
const intervalSeconds = 30;
const timeoutAt = Date.now() + timeoutMinutes * 60 * 1000;
async function getCombinedStatus() {
const { data } = await github.rest.repos.getCombinedStatusForRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref,
});
core.info(`Current combined status for ${ref}: ${data.state}`);
return data.state;
}
let state = await getCombinedStatus();
while (state === 'pending') {
if (Date.now() > timeoutAt) {
core.setFailed(
`CI checks did not complete within ${timeoutMinutes} minutes (last combined status: ${state})`,
);
return;
}
await new Promise((resolve) => setTimeout(resolve, intervalSeconds * 1000));
state = await getCombinedStatus();
}
if (state !== 'success') {
core.setFailed(`CI checks did not pass. Final combined status: ${state}`);
}

Copilot uses AI. Check for mistakes.
- name: Enable auto-merge
if: steps.create-pr.outputs.pull-request-number
run: gh pr merge --auto --squash "${{ steps.create-pr.outputs.pull-request-url }}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Loading