Skip to content

Dependabot auto-merge: block major bumps, notify on breaking changes, group patch/minor updates, bypass CI checks#745

Open
Copilot wants to merge 4 commits intomainfrom
copilot/automate-dependency-approval-merge
Open

Dependabot auto-merge: block major bumps, notify on breaking changes, group patch/minor updates, bypass CI checks#745
Copilot wants to merge 4 commits intomainfrom
copilot/automate-dependency-approval-merge

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 25, 2026
edited
Loading

The existing dependabot-auto-merge.yml unconditionally approved all Dependabot PRs — including major version bumps — and contained a faulty security-patch step whose condition (package-ecosystem != '') was always true, risking double-merge attempts.

dependabot-auto-merge.yml

  • Removed unconditional gh pr review --approve that approved even major semver bumps
  • Added Check for breaking changes step detecting:
    • version-update:semver-major from Dependabot metadata
    • Keywords in PR title/body: breaking change(s), BREAKING CHANGE:, incompatible change, breaking update
  • Non-breaking (patch/minor): auto-approve + gh pr merge --squash --admin — merges immediately without waiting for CI checks; --admin bypasses any required-status-check branch protection rules so persistent CI failures cannot block routine dependency bumps
  • Breaking: post a blocking comment explaining the reason and next steps; add breaking-change label (continue-on-error: true)
  • Removed the Auto-merge security patches step — its logic was wrong and patch/minor security fixes are handled correctly by the general filter
  • Added ready_for_review to PR event triggers

dependabot.yml

  • Added groups: non-breaking-deps (patch + minor) to all 7 directory entries — multiple same-type bumps per directory are now batched into one PR per week instead of individual PRs
  • Major updates remain ungrouped, surfacing as individual PRs that require manual review
Original prompt

Automate the approval and merging process for dependency update Pull Requests (PRs) in the "MightyPrytanis/codebase" repository. Specifically:

  1. Auto-Approve Non-Breaking Dependency Bumps:

    • Set up a GitHub Action that automatically approves and merges dependency update PRs initiated by Dependabot or other dependency management tools.
    • Filter out PRs that potentially include breaking changes by analyzing the PR title, description, or labels (e.g., presence of "breaking change" or major version updates).

  2. Handle Breaking Changes:

    • Prevent auto-approval and merging for PRs that contain breaking changes, require manual intervention, or need user-defined attention.
    • Notify maintainers (e.g., via GitHub issues or comments) when such PRs are blocked from auto-merging for further action.

  3. Skip Unnecessary Manual Intervention:

    • Ensure failed builds, merge conflicts, or other issues that require outside resolution are properly flagged while excluding PRs that pass these checks from manual approval.

Deliverables:

  • Dependabot configuration to define dependency update policies.
  • GitHub Actions workflow YAML to implement the above automation.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: I want all "bumps" in codebase dependencies to be auto approved unless they are breaking changes. I never want to see another PR for a "bump" waiting for my approval or Intervention again unless it is an issue only I can resolve properly.

Assistant: You'd like to automate the approval and merging of dependency update PRs in your repository unless they include breaking changes or require manual intervention on your part. Here’s how you can set it up in your repository:

High-Level Steps:

  1. Use GitHub Actions and Dependabot for Dependency Bumps:

    • GitHub Dependabot creates pull requests for dependency updates which you can configure.
    • To auto-approve and merge PRs that don’t contain breaking changes, you’ll need a GitHub Actions workflow tailored for this process.

  2. Filter Out Breaking Changes:

    • Dependabot's PR descriptions contain metadata to indicate whether the update includes potential breaking changes. You can define conditions in your workflow to detect and skip those PRs.

  3. Auto-Approval and Auto-Merge Workflows:

    • Set up a GitHub Actions workflow for detecting non-breaking dependency bumps.
    • Automatically approve and merge these PRs unless certain flagged keywords (e.g., "breaking change") or conditions appear.

  4. Restrict Manual Intervention (Only When Needed):

    • Ensure the workflow skips PRs marked as requiring a manual check (e.g., complex merge conflicts or unresolved issues).

Would you like me to:

  • Write a Dependabot configuration to keep your dependencies updated?
  • Provide you with GitHub Actions workflows for auto-approving/merging non-breaking dependency bumps?
  • Configure additional alerts for exceptions?

User: You do it

Assistant: I’ve initiated the process to set up automation for dependency updates in your repository. The pull request will automate the approval and merging of non-breaking dependency bumps while flagging breaking changes for manual intervention. Let me know if you need further adjustments!

This pull request was created from Copilot chat.

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

@MightyPrytanis
fix: block breaking-change Dependabot PRs from auto-merge, add mainta…
4b382f3 
…iner notification and PR grouping

Co-authored-by: MightyPrytanis <219587333+MightyPrytanis@users.noreply.github.com>
Agent-Logs-Url: https://github.com/MightyPrytanis/codebase/sessions/7ac2110f-d74f-496b-ae3e-2bde3435574b
Copilot AI changed the title [WIP] Automate approval and merging process for dependency update PRs Dependabot auto-merge: block major bumps, notify on breaking changes, group patch/minor updates Mar 25, 2026
Copilot AI requested a review from MightyPrytanis March 25, 2026 01:56
@MightyPrytanis MightyPrytanis marked this pull request as ready for review March 27, 2026 02:57
Copilot AI review requested due to automatic review settings March 27, 2026 02:57
MightyPrytanis
MightyPrytanis requested changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@MightyPrytanis MightyPrytanis left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot this doesn't solve my problem. It's still conditional on these stupid CI/CD test errors. I am stuck in a never-ending hell of trying to resolve CI/CD test errors. Nothing is ever gonna get done if I wait for that; that's the problem with the old dependabot approval system is that it didn't approve anything because the CI/CD test constantly fail no matter what I do.

Please verify the CICD test fixer is in operation. I don't remember the number of the PR. You should be able to figure it out yourself. I'm not gonna hold your hand on all of it. If that really works- and I don't believe that it does I'm not convinced that it actually does anything at all- then this can go forward as designed, but if not, this tool is useless to me and does not accomplish what I want.

Meanwhile I have a backup of 30 some PR's most of which are bumps -- routine stupid things that should be automatically approved but again the f*cking CI/ CD test errors stop it from moving forward, and I have had it.

Copilot AI requested a review from MightyPrytanis March 27, 2026 03:02
Copilot stopped work on behalf of MightyPrytanis due to an error March 27, 2026 03:38
The session was cancelled by the user.
@MightyPrytanis
Copy link
Copy Markdown
Owner

MightyPrytanis commented Mar 28, 2026

try again @copilot

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Mar 28, 2026

try again @copilot

The CI failure monitor is confirmed running (workflow "CI Failure Monitor & Auto-Remediation" is active and triggering on CI failures).

The real blocker was --auto in gh pr merge --auto --squash — that flag makes GitHub queue the merge and only execute it once all required status checks pass. With CI chronically failing, those PRs sit in the queue forever.

Fixed in commit 4c8340e: replaced with gh pr merge --squash --admin, which:

  • Merges non-breaking (patch/minor) Dependabot PRs immediately the moment they're approved
  • --admin bypasses any branch-protection required-status-check rules that would otherwise block it

Major bumps (and anything with "breaking change" keywords) still get blocked and flagged for your review. Everything else goes straight through, no CI dependency.

Copilot AI changed the title Dependabot auto-merge: block major bumps, notify on breaking changes, group patch/minor updates Dependabot auto-merge: block major bumps, notify on breaking changes, group patch/minor updates, bypass CI checks Mar 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot

@MightyPrytanis MightyPrytanis Awaiting requested review from MightyPrytanis MightyPrytanis is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

Copilot code review Copilot

@MightyPrytanis MightyPrytanis

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MightyPrytanis