Enable event-driven Dependabot auto-merge#122
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Switch Dependabot auto-merge from schedule-only polling to event-driven retries so eligible dependency bump PRs are queued for auto-merge as soon as they appear and after trusted checks finish.
Problem
The existing auto-merge workflow only ran on
scheduleandworkflow_dispatch. In practice that left green Dependabot PRs waiting for the next cron tick, and GitHub's scheduled workflow timing is not precise enough to give fast merges.Solution
Trigger the auto-merge workflow on
pull_request_targetfor Dependabot PR metadata changes and on successful trustedworkflow_runcompletions for the CI, actionlint, typos, and zizmor workflows. Keep the existing merge policy for cargo updates and non-major GitHub Actions bumps, and keep the workflow metadata-only with documentedzizmorsuppressions instead of checking out or executing PR code.Scope
Included:
.github/workflows/auto_merge.ymltrigger and selection logic updates.Not included: changes to branch protection, Dependabot schedules, or release automation.
Validation
actionlint -colorzizmor --min-severity medium .cargo +nightly fmt --checkcargo +nightly clippy --all-targets --all-features -- -D warningscargo +nightly build --features debug-tracingcargo +nightly test --lockedRisks
This still relies on privileged GitHub Actions triggers (
pull_request_targetandworkflow_run) because normalpull_requestruns cannot merge Dependabot PRs. The workflow remains metadata-only and does not check out or execute PR contents, but reviewers should still look closely at any future edits to this workflow.