AAE-35226 Add new actions to handle Dependabot PRs #1042
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
atchertchian
commented
Jun 19, 2025
atchertchian
commented
Jun 19, 2025
|
commenting to see if it triggers pull_request_review event to check https://github.com/Alfresco/alfresco-build-tools/actions/workflows/pr-review-check.yml |
gionn
requested changes
Jun 23, 2025
gionn
reviewed
Jun 23, 2025
atchertchian
force-pushed
the
improvement/AAE-35226-dependabot-validation
branch
from
f19ecc6 to
f816cb3
Compare
gionn
approved these changes
Jun 23, 2025
There was a problem hiding this comment.
Pull Request Overview
This PR adds two new GitHub Actions to improve Dependabot PR validation and auto-merge workflows, removes an outdated Dependabot action, and bumps the tool’s version to v9.0.0.
- Introduce
github-require-secrets(fails early if secrets aren’t available) andgithub-trigger-approved-pr(labels/milestones and auto-merges on approval). - Remove deprecated
automate-dependabotaction. - Update Dependabot schedules in
.github/dependabot.ymland bumpversion.txtto v9.0.0.
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| docs/README.md | Removed automate-dependabot docs, added new sections and TOC entries for the new actions. |
| version.txt | Bumped version from v8.24.1 to v9.0.0. |
| .github/dependabot.yml | Dropped old Dependabot action schedule and added schedules for the new actions. |
| .github/actions/github-require-secrets/action.yml | New composite action to enforce valid secret sources before running workflows. |
| .github/actions/github-trigger-approved-pr/action.yml | New composite action to trigger validation, label/milestone PRs, and optionally auto-merge. |
| .github/actions/automate-dependabot/action.yml | Deleted legacy Dependabot automation action. |
Comments suppressed due to low confidence (4)
.github/dependabot.yml:252
- Indentation for the new
- package-ecosystementries is inconsistent with existing blocks (4 spaces vs. 2). Align all entries to the same indent level to keep the YAML valid.
- package-ecosystem: "github-actions"
.github/actions/github-require-secrets/action.yml:12
- GitHub sets
github.secret_sourceto lowercase values ('dependabot','actions','codespaces'). Update string comparisons to lowercase to avoid always failing.
if [[ $SECRET_SOURCE == 'Dependabot' ]]
.github/actions/github-trigger-approved-pr/action.yml:75
- Expressions inside single-quoted strings in
github-scriptwon’t be interpolated. Use JS templating (e.g., ``body: `Setting auto-merge on PR after action from @${process.env.ACTOR}```) or build the string in YAML before passing.
body: 'Setting auto-merge on Dependabot PR after action from @${{ env.ACTOR }}',
.github/actions/github-trigger-approved-pr/action.yml:78
- [nitpick] Step name references "propagation" but this action is generic to any approved PR. Consider renaming to something like "Enable auto-merge for approved PR" for clarity.
- name: Enable auto-merge for propagation Pull Request
dsibilio
approved these changes
Jun 24, 2025
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Copilot <[email protected]>
atchertchian
requested review from
dsibilio,
gionn,
souvikpanda99 and
wojciech-piotrowiak
wojciech-piotrowiak
approved these changes
Sep 24, 2025
gionn
approved these changes
Sep 25, 2025
dsibilio
approved these changes
Sep 26, 2025
Co-authored-by: Domenico Sibilio <[email protected]>
wojciech-piotrowiak
approved these changes
Sep 26, 2025
atchertchian
deleted the
improvement/AAE-35226-dependabot-validation
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist
Description
This introduces new actions to:
An old related action that is not following good practices anyway was also removed.