From 4323c7bd9c9aa9a599a2a6b233c5b2edc4def991 Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Wed, 14 Jan 2026 16:42:50 -0500 Subject: [PATCH 1/2] update Dependabot config Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- .github/dependabot.yml | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fa561f91..e841f324 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,21 +6,31 @@ version: 2 updates: - package-ecosystem: github-actions - directory: / + directory: /.github/workflows schedule: - interval: weekly - time: '12:00' + interval: "quarterly" groups: actions: patterns: - "*" + update-types: + - patch + - minor + - major + cooldown: + default-days: 7 - package-ecosystem: pip - directory: / + directory: /CI schedule: - interval: weekly - time: '12:00' + interval: "quarterly" groups: python: patterns: - - "*" + - "requirements_ci.*" + update-types: + - patch + - minor + - major + cooldown: + default-days: 7 From 0343b2ba613ea6534b9d4b9b33d7fe1f8550962f Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Wed, 14 Jan 2026 16:45:08 -0500 Subject: [PATCH 2/2] Add workflow for automatic Dependabot PR approval Signed-off-by: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> --- .github/workflows/auto-accept-ci-changes.yml | 71 ++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/auto-accept-ci-changes.yml diff --git a/.github/workflows/auto-accept-ci-changes.yml b/.github/workflows/auto-accept-ci-changes.yml new file mode 100644 index 00000000..bc1ae8af --- /dev/null +++ b/.github/workflows/auto-accept-ci-changes.yml @@ -0,0 +1,71 @@ +name: Dependabot CI Updates + +on: + pull_request: + branches: + - main + types: + - opened + - synchronize + +permissions: + contents: read + +jobs: + dependabot-auto-approve: + name: Auto-approve and auto-merge safe Dependabot updates + runs-on: ubuntu-latest + if: > + github.event.pull_request.user.login == 'dependabot[bot]' && + contains(github.event.pull_request.labels.*.name, 'dependencies') + permissions: + contents: write + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + disable-sudo: true + egress-policy: audit + + - name: Fetch Dependabot metadata + id: dependabot-metadata + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Stop workflow if not minor update or patch update + id: skip-condition + if: > + steps.dependabot-metadata.outputs.update-type != 'version-update:semver-minor' && + steps.dependabot-metadata.outputs.update-type != 'version-update:semver-patch' + run: | + echo "Not a minor or patch update; skipping auto-approval." + echo "skip=true" >> $GITHUB_OUTPUT + + - name: Checkout Repository + if: steps.skip-condition.outputs.skip != 'true' + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false + + - name: Approve Changes + if: steps.skip-condition.outputs.skip != 'true' + run: | + decision="$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" + if [ "$decision" != "APPROVED" ]; then + gh pr review --approve "$PR_URL" + else + echo "PR already approved: skipping approval." + fi + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} + + - name: Enable auto-merge on Pull Request + if: steps.skip-condition.outputs.skip != 'true' + run: | + gh pr merge --auto --merge "$PR_URL" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }}