diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml new file mode 100644 index 00000000..c223994b --- /dev/null +++ b/.github/workflows/auto-merge.yml @@ -0,0 +1,41 @@ +name: auto-merge +# pull_request_target runs in the base-branch context, which is required so +# that GITHUB_TOKEN gets the write permissions declared below even for PRs +# opened by Dependabot (which would otherwise receive a read-only token on +# regular pull_request events). This workflow never checks out PR head code, +# so the usual pull_request_target injection risk does not apply. +on: pull_request_target + +permissions: + contents: write + pull-requests: write + +jobs: + auto-merge-dependabot: + name: Auto-Merge Dependabot PRs + runs-on: ubuntu-latest + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + - name: Enable auto-merge for non-major updates + if: ${{ steps.metadata.outputs.update-type != 'version-update:semver-major' }} + run: gh pr merge --squash --auto "${{ github.event.pull_request.html_url }}" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + auto-merge-scala-steward: + name: Auto-Merge Scala Steward PRs + runs-on: ubuntu-latest + if: ${{ github.event.pull_request.user.login == 'scala-steward' }} + steps: + # Skip auto-merge if the PR carries a semver-major label. Note: this repo + # does not yet apply semver labels to Scala Steward PRs, so this guard is + # a no-op until early-semver-* labels are added to the repo and Scala + # Steward is configured to apply them. + - name: Enable auto-merge for non-major updates + if: ${{ !contains(github.event.pull_request.labels.*.name, 'semver-major') && !contains(github.event.pull_request.labels.*.name, 'early-semver-major') }} + run: gh pr merge --squash --auto "${{ github.event.pull_request.html_url }}" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/plans/2026-05-05-auto-merge.md b/plans/2026-05-05-auto-merge.md new file mode 100644 index 00000000..0b43e132 --- /dev/null +++ b/plans/2026-05-05-auto-merge.md @@ -0,0 +1,84 @@ +# Add auto-merge GitHub Actions workflow + +## Goal + +Add a workflow that automatically enables auto-merge on PRs from trusted bots +(Dependabot and Scala Steward) for non-major version bumps, mirroring the +pattern used in `wvlet/uni/.github/workflows/auto-merge.yml`. + +## Context + +- Recent PR history shows the repo regularly receives many bot PRs: + - `dependabot[bot]` — for GitHub Actions version bumps + - `scala-steward` — for Scala/sbt/Java library updates +- These currently require manual merge from the maintainer. +- Repo settings already allow auto-merge (`allow_auto_merge: true`) and squash + is the default merge method. +- CI passes branch-protection checks on PRs; once a PR is approved and CI is + green, GitHub will merge it automatically. + +## Differences from wvlet/uni + +- **No GitHub App token.** wvlet/uni uses a GitHub App (`APP_ID` + + `APP_PRIVATE_KEY`) to bypass the read-only `GITHUB_TOKEN` that GitHub + hands to `pull_request` workflows triggered by Dependabot. msgpack/msgpack-java + doesn't have that App configured, so this workflow uses + `on: pull_request_target` instead — that event runs in the base-branch + context where the workflow's declared `permissions:` block actually grants + write access to `GITHUB_TOKEN`. We never check out PR head code, so the + usual `pull_request_target` injection risk does not apply. +- **Scala Steward actor is `scala-steward`**, not wvlet/uni's + `scala-steward-wvlet[bot]` or `xerial-bot` (visible in `gh pr list`). +- **Filter on `github.event.pull_request.user.login`**, not `github.actor`, + because under `pull_request_target` the latter can resolve to the merger + rather than the PR author. + +## Plan + +1. Add `.github/workflows/auto-merge.yml` with two jobs: + - **auto-merge-dependabot**: triggers when + `github.event.pull_request.user.login == 'dependabot[bot]'`, uses + `dependabot/fetch-metadata@v2` to read the update type, and runs + `gh pr merge --squash --auto` only when the update is **not** + `version-update:semver-major`. + - **auto-merge-scala-steward**: triggers when + `github.event.pull_request.user.login == 'scala-steward'` and + auto-merges unless the PR carries a `semver-major` or + `early-semver-major` label. +2. Set workflow-level `permissions` to the minimum required: + `contents: write` and `pull-requests: write`. +3. Use `GITHUB_TOKEN` directly via `env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}`. + +### Scala Steward label caveat + +This repo's current Scala Steward PRs only carry `library-update` (and +sometimes `internal`) — no semver labels are configured upstream, so the +`semver-major` / `early-semver-major` guard is effectively a no-op until: +- The labels are added to the repo (Scala Steward only applies labels that + already exist), and +- Scala Steward is configured (e.g. via `.scala-steward.conf`) to attach + them. + +This matches the same caveat in the wvlet/uni reference implementation, +which uses `semver-spec-major` against `github.event.issue.labels` (not even +the right field on a PR event) — so its guard is also effectively a no-op +in practice. We accept the same trade-off here: most Scala Steward PRs are +patch/minor library updates, CI runs across JDK 8/11/17/21/24 and will fail +the merge-readiness checks if anything regresses, and a major bump that +slips through can be reverted. A follow-up could tighten this by setting up +proper semver labels. + +## Out of scope + +- Setting up a GitHub App for elevated bot identity. +- Auto-approving PRs (a human approval may still be required by branch + protection — auto-merge will simply wait for it). +- Changing branch protection rules. +- Configuring Scala Steward to apply semver labels (see caveat above). + +## Validation + +- Lint the YAML by checking the file parses (visual review + actionlint if + available). +- After merge, watch the next dependabot/scala-steward PR to confirm + auto-merge gets enabled.