fix: resolve dependabot auto-merge workflow issues #885
Conversation
- Remove invalid 'metadata: read' permission that causes GitHub Actions validation error - Fix auto-merge API endpoint to use correct format with auto_merge parameter - Improve label checking logic to be more permissive for Dependabot PRs - Replace gh CLI commands with curl for better compatibility and consistency - Ensure workflow only runs on upstream repository to prevent fork failures Fixes auto-merge functionality for Dependabot PRs and resolves workflow validation errors.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: MitaliBhalla The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@MitaliBhalla: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #885 +/- ##
=======================================
Coverage 52.91% 52.91%
=======================================
Files 86 86
Lines 6525 6525
=======================================
Hits 3453 3453
Misses 2610 2610
Partials 462 462 🚀 New features to boost your workflow:
|
| -H "Authorization: Bearer $GH_TOKEN" \ | ||
| "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/merge" \ | ||
| -d '{"merge_method":"merge"}') | ||
| "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}" \ |
There was a problem hiding this comment.
Have you ever successfully used auto-merge for a PR before, but found it unstable or not working in certain scenarios?
Can see you use the GitHub REST API, I'm not sure whether auto-merge is actually supported. I found this discussion (https://github.com/orgs/community/discussions/24719
), and a recent reply in 2025 suggests it’s still unavailable?
| -H "Accept: application/vnd.github+json" \ | ||
| -H "Authorization: Bearer $GH_TOKEN" \ | ||
| "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \ | ||
| -d '{"body":"🚨 **Major Version Update Detected** 🚨\n\nThis PR contains a major version update that requires manual review:\n- **Dependency:** ${{ steps.metadata.outputs.dependency-names }}\n- **Previous version:** ${{ steps.metadata.outputs.previous-version }}\n- **New version:** ${{ steps.metadata.outputs.new-version }}\n\nPlease review the changelog and breaking changes before merging.\n\nAuto-merge has been **disabled** for this PR."}' |
There was a problem hiding this comment.
If dependency name contains " or special characters, it can break JSON structure, may be better to use jq for better handle any JSON Escaping.
fix: resolve dependabot auto-merge workflow issues
Fixes auto-merge functionality for Dependabot PRs and resolves workflow validation errors.
What type of PR is this?
What this PR does / Why we need it?
This PR fixes critical issues in the Dependabot auto-merge workflow that were preventing automatic merging of dependency updates:
metadata: readpermission that was causing workflow validation failuresghCLI commands withcurlfor better runner compatibilityThese fixes will enable automatic merging of patch and minor version dependency updates while requiring manual review for major version updates.
Which Jira/Github issue(s) does this PR fix?
Special notes for your reviewer
/pulls/{pull_number}withauto_mergeparameter)area/dependency,dependencies, or any PR fromdependabot[bot]curlfor consistency and better error handlingUnit Test Coverage
Test coverage checks
This PR modifies GitHub Actions workflow configuration only - no application code changes that would require unit tests.
Pre-checks (if applicable)
Workflow changes are backward compatible and will improve existing Dependabot PR handling.
/label tide/merge-method-squash