From 5501957986ec975bf552f693521cb5cf98b9ed82 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 21 Jan 2026 18:38:54 +0000 Subject: [PATCH 01/12] Initial plan From 387144d435ff63e75ff1dc4ddd2a8a3d12dd62be Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 21 Jan 2026 18:43:19 +0000 Subject: [PATCH 02/12] Add Dependabot automation for minor/patch updates - Updated dependabot.yml with auto-merge-minor-and-patch groups for both maven and github-actions ecosystems - Created dependabot-auto-approve.yml workflow to automatically approve minor and patch updates - Created dependabot-auto-merge.yml workflow to automatically merge approved minor and patch PRs - Extracted all external dependencies from pom files and added them to the configuration in alphabetical order Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com> --- .github/dependabot.yml | 42 +++++++++++++++++++ .github/workflows/dependabot-auto-approve.yml | 25 +++++++++++ .github/workflows/dependabot-auto-merge.yml | 26 ++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 .github/workflows/dependabot-auto-approve.yml create mode 100644 .github/workflows/dependabot-auto-merge.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5e95b1c2..eea16f09 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,7 +11,49 @@ updates: interval: "weekly" reviewers: - "berrycloud/reviewers" + groups: + auto-merge-minor-and-patch: + update-types: + - "minor" + - "patch" + patterns: + - "com.h2database:h2" + - "com.jayway.jsonpath:json-path-assert" + - "com.puppycrawl.tools:checkstyle" + - "com.squareup.okhttp3:mockwebserver" + - "com.squareup.okhttp3:okhttp" + - "com.squareup.okhttp3:okhttp-bom" + - "io.hypersistence:hypersistence-utils-hibernate-70" + - "io.jsonwebtoken:jjwt-api" + - "io.jsonwebtoken:jjwt-impl" + - "io.jsonwebtoken:jjwt-jackson" + - "io.netty:netty-resolver-dns-native-macos" + - "jakarta.validation:jakarta.validation-api" + - "org.hibernate.validator:hibernate-validator" + - "org.projectlombok:lombok" + - "org.springframework.boot:spring-boot-autoconfigure" + - "org.springframework.boot:spring-boot-devtools" + - "org.springframework.boot:spring-boot-jackson2" + - "org.springframework.boot:spring-boot-starter-data-jpa" + - "org.springframework.boot:spring-boot-starter-test" + - "org.springframework.boot:spring-boot-starter-validation" + - "org.springframework.boot:spring-boot-starter-web" + - "org.springframework.boot:spring-boot-starter-webflux" + - "org.springframework.boot:spring-boot-webmvc-test" + - "org.springframework.integration:spring-integration-test" - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" + groups: + auto-merge-minor-and-patch: + update-types: + - "minor" + - "patch" + patterns: + - "actions/checkout" + - "actions/create-github-app-token" + - "actions/setup-java" + - "actions/stale" + - "advanced-security/maven-dependency-submission-action" + - "github/codeql-action" diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml new file mode 100644 index 00000000..cda1b8a6 --- /dev/null +++ b/.github/workflows/dependabot-auto-approve.yml @@ -0,0 +1,25 @@ +name: Dependabot Auto-Approve + +on: pull_request + +permissions: + pull-requests: write + +jobs: + auto-approve: + runs-on: ubuntu-latest + if: github.event.pull_request.user.login == 'dependabot[bot]' + steps: + - name: Get Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Approve minor and patch updates + if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' + run: | + gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 00000000..0a4e0a04 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,26 @@ +name: Dependabot Auto-Merge + +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + auto-merge: + runs-on: ubuntu-latest + if: github.event.pull_request.user.login == 'dependabot[bot]' + steps: + - name: Get Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Enable auto-merge for minor and patch updates + if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' + run: | + gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 54c3e3f817ed9748104c0131d9770a9b679fd279 Mon Sep 17 00:00:00 2001 From: Thomas Turrell-Croft Date: Wed, 21 Jan 2026 18:57:35 +0000 Subject: [PATCH 03/12] Apply suggestion from @thomasturrell --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index eea16f09..d9c0d0e1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,7 +8,7 @@ updates: - package-ecosystem: "maven" # See documentation for possible values directory: "/" # Location of package manifests schedule: - interval: "weekly" + interval: "daily" reviewers: - "berrycloud/reviewers" groups: From 0b1022436acad31652c8cff2ed4d051377890da8 Mon Sep 17 00:00:00 2001 From: Thomas Turrell-Croft Date: Wed, 21 Jan 2026 19:10:15 +0000 Subject: [PATCH 04/12] Update .github/workflows/dependabot-auto-approve.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/dependabot-auto-approve.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml index cda1b8a6..5c28d6dd 100644 --- a/.github/workflows/dependabot-auto-approve.yml +++ b/.github/workflows/dependabot-auto-approve.yml @@ -15,7 +15,6 @@ jobs: uses: dependabot/fetch-metadata@v2 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - - name: Approve minor and patch updates if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' run: | From 4a0456236fe702b015166e2c22688dc84e41c1f5 Mon Sep 17 00:00:00 2001 From: Thomas Turrell-Croft Date: Wed, 21 Jan 2026 19:10:25 +0000 Subject: [PATCH 05/12] Update .github/workflows/dependabot-auto-merge.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/dependabot-auto-merge.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 0a4e0a04..199eb082 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -16,7 +16,6 @@ jobs: uses: dependabot/fetch-metadata@v2 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - - name: Enable auto-merge for minor and patch updates if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' run: | From 0e73cd77d4f2f4ef94d5fbef6af105220cfa7f2e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 21 Jan 2026 19:14:08 +0000 Subject: [PATCH 06/12] Address PR review feedback - Add dependabot/fetch-metadata to GitHub Actions auto-merge group - Change auto-merge workflow trigger to pull_request_review to run after approval - Ensure auto-merge only runs when review is approved Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com> --- .github/dependabot.yml | 1 + .github/workflows/dependabot-auto-merge.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d9c0d0e1..04e14dae 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -56,4 +56,5 @@ updates: - "actions/setup-java" - "actions/stale" - "advanced-security/maven-dependency-submission-action" + - "dependabot/fetch-metadata" - "github/codeql-action" diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 199eb082..5d065193 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -1,6 +1,6 @@ name: Dependabot Auto-Merge -on: pull_request +on: pull_request_review permissions: contents: write @@ -9,7 +9,7 @@ permissions: jobs: auto-merge: runs-on: ubuntu-latest - if: github.event.pull_request.user.login == 'dependabot[bot]' + if: github.event.review.state == 'approved' && github.event.pull_request.user.login == 'dependabot[bot]' steps: - name: Get Dependabot metadata id: metadata From 5ac1903f52cde065a0e8c78f6572465d15846d36 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 21 Jan 2026 19:15:20 +0000 Subject: [PATCH 07/12] Add action check to auto-merge workflow - Ensure workflow only runs when review is submitted (not dismissed or other events) - Add github.event.action == 'submitted' check for better event filtering Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com> --- .github/workflows/dependabot-auto-merge.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 5d065193..1f6e6ace 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -9,7 +9,7 @@ permissions: jobs: auto-merge: runs-on: ubuntu-latest - if: github.event.review.state == 'approved' && github.event.pull_request.user.login == 'dependabot[bot]' + if: github.event.action == 'submitted' && github.event.review.state == 'approved' && github.event.pull_request.user.login == 'dependabot[bot]' steps: - name: Get Dependabot metadata id: metadata From 66afc7ea8485d4f185266be90f47caf0323c4a63 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 21 Jan 2026 19:30:27 +0000 Subject: [PATCH 08/12] Add Maven plugin dependencies to auto-merge group - Added 11 Maven plugin dependencies to auto-merge-minor-and-patch group - Includes maven-checkstyle-plugin, maven-compiler-plugin, maven-failsafe-plugin, maven-gpg-plugin, maven-javadoc-plugin, maven-release-plugin, maven-source-plugin, maven-surefire-plugin, lifecycle-mapping, jacoco-maven-plugin, and central-publishing-maven-plugin - Total Maven dependencies now: 35 (24 runtime + 11 plugins) - Plugins follow semantic versioning and minor/patch updates are safe to auto-merge with CI validation Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com> --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 04e14dae..d029e6df 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -29,8 +29,19 @@ updates: - "io.jsonwebtoken:jjwt-jackson" - "io.netty:netty-resolver-dns-native-macos" - "jakarta.validation:jakarta.validation-api" + - "org.apache.maven.plugins:maven-checkstyle-plugin" + - "org.apache.maven.plugins:maven-compiler-plugin" + - "org.apache.maven.plugins:maven-failsafe-plugin" + - "org.apache.maven.plugins:maven-gpg-plugin" + - "org.apache.maven.plugins:maven-javadoc-plugin" + - "org.apache.maven.plugins:maven-release-plugin" + - "org.apache.maven.plugins:maven-source-plugin" + - "org.apache.maven.plugins:maven-surefire-plugin" + - "org.eclipse.m2e:lifecycle-mapping" - "org.hibernate.validator:hibernate-validator" + - "org.jacoco:jacoco-maven-plugin" - "org.projectlombok:lombok" + - "org.sonatype.central:central-publishing-maven-plugin" - "org.springframework.boot:spring-boot-autoconfigure" - "org.springframework.boot:spring-boot-devtools" - "org.springframework.boot:spring-boot-jackson2" From baee6907f94944d9cb02bdb8cb4b2b9d8eacadd9 Mon Sep 17 00:00:00 2001 From: Thomas Turrell-Croft Date: Wed, 21 Jan 2026 19:39:28 +0000 Subject: [PATCH 09/12] Update .github/workflows/dependabot-auto-approve.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/dependabot-auto-approve.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml index 5c28d6dd..b4235dc7 100644 --- a/.github/workflows/dependabot-auto-approve.yml +++ b/.github/workflows/dependabot-auto-approve.yml @@ -1,6 +1,8 @@ name: Dependabot Auto-Approve -on: pull_request +on: + pull_request: + types: [opened, reopened] permissions: pull-requests: write From 0d76b1753e5eaa81c042f4584a5022e65a3ceb31 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 21 Jan 2026 19:46:05 +0000 Subject: [PATCH 10/12] Apply PR review feedback - Change GITHUB_TOKEN to GH_TOKEN in both workflows to match repo pattern - Add org.springframework.boot:spring-boot-starter-parent to auto-merge group - Total Maven dependencies now: 36 (24 runtime + 11 plugins + 1 parent) Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com> --- .github/dependabot.yml | 1 + .github/workflows/dependabot-auto-approve.yml | 2 +- .github/workflows/dependabot-auto-merge.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d029e6df..5973f494 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -46,6 +46,7 @@ updates: - "org.springframework.boot:spring-boot-devtools" - "org.springframework.boot:spring-boot-jackson2" - "org.springframework.boot:spring-boot-starter-data-jpa" + - "org.springframework.boot:spring-boot-starter-parent" - "org.springframework.boot:spring-boot-starter-test" - "org.springframework.boot:spring-boot-starter-validation" - "org.springframework.boot:spring-boot-starter-web" diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml index b4235dc7..877f4c60 100644 --- a/.github/workflows/dependabot-auto-approve.yml +++ b/.github/workflows/dependabot-auto-approve.yml @@ -23,4 +23,4 @@ jobs: gh pr review --approve "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 1f6e6ace..bf94c324 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -22,4 +22,4 @@ jobs: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ github.token }} From a83e9fbeb8ef32741268d1ca2d7b89624dea4858 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 21 Jan 2026 19:47:18 +0000 Subject: [PATCH 11/12] Fix token consistency in workflows - Use github.token for dependabot/fetch-metadata action in both workflows - Ensures consistent token usage across all workflow steps - Matches repo pattern of using github.token instead of secrets.GITHUB_TOKEN Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com> --- .github/workflows/dependabot-auto-approve.yml | 2 +- .github/workflows/dependabot-auto-merge.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml index 877f4c60..4d521caf 100644 --- a/.github/workflows/dependabot-auto-approve.yml +++ b/.github/workflows/dependabot-auto-approve.yml @@ -16,7 +16,7 @@ jobs: id: metadata uses: dependabot/fetch-metadata@v2 with: - github-token: "${{ secrets.GITHUB_TOKEN }}" + github-token: "${{ github.token }}" - name: Approve minor and patch updates if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' run: | diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index bf94c324..ff46c175 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -15,7 +15,7 @@ jobs: id: metadata uses: dependabot/fetch-metadata@v2 with: - github-token: "${{ secrets.GITHUB_TOKEN }}" + github-token: "${{ github.token }}" - name: Enable auto-merge for minor and patch updates if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch' run: | From 27d554590653d5936bd40cb0d5aa7c4833d59d29 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 21 Jan 2026 19:54:23 +0000 Subject: [PATCH 12/12] Use activity type in pull_request_review trigger - Move 'submitted' from if condition to trigger types - Cleaner and more idiomatic GitHub Actions syntax - Simplifies the if condition by removing redundant action check Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com> --- .github/workflows/dependabot-auto-merge.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index ff46c175..f8409ae5 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -1,6 +1,8 @@ name: Dependabot Auto-Merge -on: pull_request_review +on: + pull_request_review: + types: [submitted] permissions: contents: write @@ -9,7 +11,7 @@ permissions: jobs: auto-merge: runs-on: ubuntu-latest - if: github.event.action == 'submitted' && github.event.review.state == 'approved' && github.event.pull_request.user.login == 'dependabot[bot]' + if: github.event.review.state == 'approved' && github.event.pull_request.user.login == 'dependabot[bot]' steps: - name: Get Dependabot metadata id: metadata