feat: combine dependabot PRs via github/combine-prs#2401
Open
taddes wants to merge 1 commit into
Open
Conversation
Dependabot grouping already merges updates within each ecosystem, but it cannot merge across groups (cargo dev vs prod), across directories (pip's multiple dirs), or across ecosystems. This adds a workflow using github/combine-prs to fold the month's remaining open Dependabot PRs into one combined PR, cutting review noise. It complements dependabot.yml rather than replacing it. Runs monthly a few days after Dependabot's batch, plus manual dispatch, and is a no-op when fewer than two PRs are open. Caveats (we may choose not to land this because of them): - The combined PR is opened with the default GITHUB_TOKEN, so GitHub's anti-recursion rule keeps it from triggering the pull_request workflows -- the combined PR gets no CI of its own. ci_required: true ensures each source PR passed CI individually, but the *combination* is not tested until a human closes and reopens the combined PR. Auto-CI on the combined PR would require a GitHub App token or PAT, i.e. new secrets, which this repo deliberately minimizes. - Only branches with the "dependabot" prefix are combined; any future non-dependabot bot PRs are not swept in. - Behavior against live PRs can only be confirmed on GitHub; trigger the workflow manually once with >= 2 open Dependabot PRs to verify. Closes STOR-577
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
.github/workflows/combine-dependabot-prs.yml, which usesgithub/combine-prs(SHA-pinned tov5.2.0) to fold the month's remaining open Dependabot PRs into a single combined PR.Dependabot grouping already merges updates within each ecosystem, but it cannot merge:
dev-depsvsprod-depsThis sweeps up that remainder. It complements
dependabot.yml, no change to the existing config.Behavior: runs monthly (
0 6 8 * *, a few days after Dependabot's monthly batch) plus manualworkflow_dispatch; a no-op when fewer than 2 PRs are open. Combined PR is labeleddependenciesto match Dependabot.Caveats on why we may choose not to land this
GITHUB_TOKEN, so GitHub's anti-recursion rule prevents it from triggering thepull_requestworkflows — the combined PR gets no CI of its own.ci_required: trueensures each source PR passed CI individually, but the combination isn't tested until a human closes and reopens the combined PR (a human reopen firespull_request). Auto-CI would require a GitHub App token or PAT i.e. new secrets, which this repo deliberately minimizes. Could be a separate follow-up if desired.dependabotprefix are combined; any future non-dependabot bot PRs won't be swept in.Closes STOR-577