Automate Dependabot minor/patch PR approvals & merges #476
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Updated dependabot.yml with auto-merge-minor-and-patch groups for both maven and github-actions ecosystems - Created dependabot-auto-approve.yml workflow to automatically approve minor and patch updates - Created dependabot-auto-merge.yml workflow to automatically merge approved minor and patch PRs - Extracted all external dependencies from pom files and added them to the configuration in alphabetical order Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Automate Dependabot minor and patch PR approvals and merges
Automate Dependabot minor/patch PR approvals & merges
Jan 21, 2026
thomasturrell
approved these changes
Jan 21, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Automates handling of Dependabot minor/patch updates by grouping them and adding GitHub Actions workflows to auto-approve and enable auto-merge, while leaving major updates for manual review.
Changes:
- Added Dependabot grouping for minor/patch updates in Maven and GitHub Actions ecosystems.
- Introduced a workflow to auto-approve Dependabot minor/patch PRs using fetched metadata.
- Introduced a workflow to enable auto-merge (squash) for Dependabot minor/patch PRs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/dependabot.yml | Adds grouped minor/patch update configuration for Maven and GitHub Actions dependencies. |
| .github/workflows/dependabot-auto-approve.yml | Auto-approves Dependabot PRs based on semver update type metadata. |
| .github/workflows/dependabot-auto-merge.yml | Enables GitHub auto-merge for Dependabot PRs when update type is minor/patch. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Contributor
|
@copilot apply changes based on the comments in this thread |
- Add dependabot/fetch-metadata to GitHub Actions auto-merge group - Change auto-merge workflow trigger to pull_request_review to run after approval - Ensure auto-merge only runs when review is approved Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
Contributor
Author
Applied all changes from the review thread in commit 0e73cd7:
|
- Ensure workflow only runs when review is submitted (not dismissed or other events) - Add github.event.action == 'submitted' check for better event filtering Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
Contributor
|
@copilot should the java plugin dependencies be added too? I am not sure so evaluate the pros and cons of this suggestion and then add them if the pros outweigh the cons. |
- Added 11 Maven plugin dependencies to auto-merge-minor-and-patch group - Includes maven-checkstyle-plugin, maven-compiler-plugin, maven-failsafe-plugin, maven-gpg-plugin, maven-javadoc-plugin, maven-release-plugin, maven-source-plugin, maven-surefire-plugin, lifecycle-mapping, jacoco-maven-plugin, and central-publishing-maven-plugin - Total Maven dependencies now: 35 (24 runtime + 11 plugins) - Plugins follow semantic versioning and minor/patch updates are safe to auto-merge with CI validation Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
Contributor
Author
Evaluation: Pros outweigh cons - Added Maven plugins in commit 66afc7e PROS:
CONS:
Decision: Added 11 Maven plugins since:
Added: maven-checkstyle-plugin, maven-compiler-plugin, maven-failsafe-plugin, maven-gpg-plugin, maven-javadoc-plugin, maven-release-plugin, maven-source-plugin, maven-surefire-plugin, lifecycle-mapping, jacoco-maven-plugin, central-publishing-maven-plugin |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
- Change GITHUB_TOKEN to GH_TOKEN in both workflows to match repo pattern - Add org.springframework.boot:spring-boot-starter-parent to auto-merge group - Total Maven dependencies now: 36 (24 runtime + 11 plugins + 1 parent) Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
- Use github.token for dependabot/fetch-metadata action in both workflows - Ensures consistent token usage across all workflow steps - Matches repo pattern of using github.token instead of secrets.GITHUB_TOKEN Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
- Move 'submitted' from if condition to trigger types - Cleaner and more idiomatic GitHub Actions syntax - Simplifies the if condition by removing redundant action check Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
thomasturrell
approved these changes
Jan 21, 2026
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dependabot Automation Implementation Plan
.github/dependabot.ymlwith auto-merge-minor-and-patch group containing all dependencies.github/workflows/dependabot-auto-approve.ymlworkflow to auto-approve minor/patch updates.github/workflows/dependabot-auto-merge.ymlworkflow to auto-merge approved PRsSummary
Successfully implemented Dependabot automation for minor and patch version updates with all feedback addressed.
Changes Made:
Updated
.github/dependabot.yml:auto-merge-minor-and-patchgroup for Maven with 36 dependencies (24 runtime + 11 build plugins + 1 parent POM)auto-merge-minor-and-patchgroup for GitHub Actions with 7 actionsCreated
.github/workflows/dependabot-auto-approve.yml:dependabot/fetch-metadata@v2to determine update typeopenedandreopenedevents to avoid duplicate approvalsgithub.tokenconsistently for all authenticationCreated
.github/workflows/dependabot-auto-merge.yml:submittedactivity typegithub.tokenconsistently for all authenticationResult:
✅ Minor and patch updates automatically approved and merged
✅ Major version updates require manual review (no automation)
✅ All YAML files validated successfully
✅ Auto-merge workflow properly sequenced after approval
✅ Proper event filtering with activity types
✅ All PR review feedback addressed
✅ Maven plugin dependencies and parent POM included
✅ Consistent token usage across all workflow steps
✅ Idiomatic GitHub Actions syntax
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.