Add auto-merge workflow for Dependabot and Scala Steward PRs#979
Merged
Add auto-merge workflow for Dependabot and Scala Steward PRs#979
Conversation
Mirrors the wvlet/uni auto-merge pattern, adapted for this repo: - Uses pull_request_target so GITHUB_TOKEN gets the declared write permissions on Dependabot-authored PRs (avoids needing a GitHub App). - Skips Dependabot major-version bumps via dependabot/fetch-metadata. - Skips Scala Steward PRs labeled semver-major. - Squash-merges via --auto, so GitHub waits for required checks and reviews before merging. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The semver-major label guard was a no-op: this repo's Scala Steward PRs only carry library-update (and sometimes internal), so the guard would have auto-merged every Scala Steward PR including major bumps. Defer Scala Steward auto-merge until the repo has proper semver labeling configured. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
xerial
changed the title
Restore the Scala Steward auto-merge job dropped in the previous commit. Guards on both `semver-major` and `early-semver-major` labels for forward compatibility with future label setup. Until those labels are configured, the guard is effectively a no-op (matching wvlet/uni's behavior); a follow-up can tighten this by adding the labels to the repo and configuring Scala Steward to apply them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
xerial
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/auto-merge.ymlwith two jobs that enable squash auto-merge on PRs fromdependabot[bot]andscala-steward. Modeled onwvlet/uni/.github/workflows/auto-merge.yml.on: pull_request_targetinstead ofpull_requestso the declaredpermissions:block grantsGITHUB_TOKENactual write access on Dependabot-authored runs (without needing a GitHub App). The workflow never checks out PR head code, so the standardpull_request_targetinjection risk does not apply.dependabot/fetch-metadatato detect and skipversion-update:semver-major.semver-majororearly-semver-major.Plan:
plans/2026-05-05-auto-merge.md.Scala Steward label caveat
The repo doesn't currently apply semver labels to Scala Steward PRs (only
library-update), so thesemver-major/early-semver-majorguard is effectively a no-op for now. This matches wvlet/uni's behavior — its guard checksgithub.event.issue.labelswhich doesn't exist on PR events, so it's also a no-op there. A follow-up can tighten this by adding the labels to the repo and configuring Scala Steward to apply them. Risk is acceptable in the meantime: CI runs across JDK 8/11/17/21/24 and a slipped-through major bump can be reverted.Prereqs
allow_auto_merge: true) and squash is the default merge method.Test plan
python3 -c "import yaml; yaml.safe_load(...)").version-update:semver-majorguard).