Add dependabot automerge#231
Open
tkong-redhat wants to merge 6 commits intoopenshift:masterfrom
Open
Conversation
Enable automated dependency management with SRE-standard workflows: - dependabot-auto-merge.yml: Auto-merge patch/minor/digest updates after CI - branch-protection-check.yml: Weekly verification of configuration health - Enhanced dependabot.yml with Go module updates and dependency grouping Auto-merge behavior: - Patch/minor/digest updates: Auto-merged after required checks pass - Major updates: Comment added, manual review required Dependency groups: AWS SDK, Kubernetes, OpenShift, Prometheus Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds a Dependabot configuration for Go modules (weekly, grouped patterns for k8s/openshift/prometheus) and two new GitHub Actions workflows: a weekly branch-protection verification that checks repository config and branch protection, and a Dependabot auto-merge workflow that evaluates Dependabot PRs and attempts to enable auto-merge or posts comments for blocked/critical updates. Changes
Sequence Diagram(s)sequenceDiagram
actor DependabotPR as "Dependabot PR"
participant Actions as "GitHub Actions (auto-merge wf)"
participant GraphQL as "GitHub GraphQL API"
participant Repo as "Repository (Pull Request)"
DependabotPR->>Actions: PR opened / synchronized
Actions->>Actions: fetch dependabot metadata + diff (go.mod)
Actions->>Actions: evaluate labels, critical-package list, update type, go-version-bump
alt eligible for auto-merge (non-critical, non-major)
Actions->>GraphQL: enablePullRequestAutoMerge(pullRequestId, method=SQUASH)
GraphQL-->>Actions: success / error
alt success
Actions->>Repo: (auto-merge enabled)
else failure
Actions->>Repo: post comment (auto-merge could not be enabled)
end
else not eligible (critical or major or blocked)
Actions->>Repo: post comment (manual review required / auto-merge disabled)
end
sequenceDiagram
actor Scheduler as "Weekly Scheduler / Manual Trigger"
participant BranchCheck as "branch-protection-check wf"
participant Files as "Repository files"
participant GHAPI as "GitHub REST API (branches/protection)"
Scheduler->>BranchCheck: run workflow
BranchCheck->>Files: check for `.github/dependabot.yml` and `.github/workflows/dependabot-auto-merge.yml`
BranchCheck->>GHAPI: GET /repos/:owner/:repo/branches/master/protection
alt 200 OK
GHAPI-->>BranchCheck: protection rules JSON
BranchCheck->>BranchCheck: validate required_status_checks and required_pull_request_reviews
else 404
GHAPI-->>BranchCheck: 404 Not Found
BranchCheck->>BranchCheck: treat as missing branch protection
else other non-200
GHAPI-->>BranchCheck: warning response
BranchCheck->>BranchCheck: skip strict validation (warn)
end
BranchCheck->>BranchCheck: exit 0 if all_present true, else exit 1
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 12✅ Passed checks (12 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (1)
.github/workflows/branch-protection-check.yml (1)
72-76: Use the actual default branch here.The log says "default branch", but Line 75 hardcodes
master. If the repository default branch changes, this check starts validating the wrong branch.Suggested fix
- BRANCH="master" + BRANCH="${{ github.event.repository.default_branch }}"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/branch-protection-check.yml around lines 72 - 76, The script hardcodes BRANCH="master" which can be incorrect; change BRANCH to use the repository's actual default branch (e.g. BRANCH="${{ github.event.repository.default_branch }}" or fetch via the GitHub API/gh CLI) and update any log text if needed; replace the hardcoded BRANCH assignment in the section that sets REPO/BRANCH so the verification uses the real default branch instead of "master".
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/branch-protection-check.yml:
- Around line 89-93: The branch-protection check currently leaves the flag
all_present unchanged on non-200/non-404 HTTP responses, which can falsely
report success; update the handling in the HTTP error branches (where http_code
and protection_json are used) to set all_present=false when the API returns any
error (non-200 and non-404) and ensure the same change is applied to the
analogous block around lines checking validation status (the second
HTTP-response handling block referenced in the comment). Specifically, when
echoing the warning/response for permission or server errors, also set
all_present=false so the final branch protection validation logic correctly
treats API failures as incomplete.
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 16-17: The job guard uses a hardcoded repository check in the if
condition ("if: github.actor == 'dependabot[bot]' && github.repository ==
'--add-gomod'") which never matches; update the condition in the workflow to
either remove the repository equality check (leaving "if: github.actor ==
'dependabot[bot]'" so Dependabot PRs run across repos) or replace '--add-gomod'
with the correct repository identifier 'openshift/ocm-agent' so the "if"
evaluates true for this repo; edit the line containing the if condition to apply
one of these fixes.
- Around line 114-127: The "Comment on Major Version Updates" step's conditional
currently requires both a major semver bump and
steps.check-critical.outputs.is_critical_update == 'true'; remove the
is_critical_update check so the step runs for any metadata.outputs.update-type
== 'version-update:semver-major' (while keeping the has-required-labels check).
Update the if expression in the "Comment on Major Version Updates" step to no
longer reference steps.check-critical.outputs.is_critical_update and ensure the
POST comment uses the existing metadata outputs as-is.
- Around line 137-147: The final decision log is using OR logic for the critical
check which misrepresents the actual merge condition; update the conditional
that checks steps.metadata.outputs.update-type and
steps.check-critical.outputs.is_critical_update so it requires both (update-type
in
["version-update:semver-patch","version-update:semver-minor","version-update:semver-digest"]
AND steps.check-critical.outputs.is_critical_update == "false") before reporting
"✅ Auto-merge ENABLED", otherwise report disabled; reference the variables
steps.metadata.outputs.update-type,
steps.check-critical.outputs.is_critical_update and
steps.check-labels.outputs.has-required-labels and mirror the exact boolean
logic used later in the actual merge decision so the echo messages accurately
reflect allowed merge cases.
- Around line 34-39: Remove the step-level if: guard on the "Check Critical
package updates" step (id: check-critical) so the step always runs; specifically
delete the multiline if: | ... contains(...) conditions and let the step's
internal shell logic evaluate all entries (including k8s.io/client-go) and
populate steps.check-critical.outputs.is_critical_update accordingly.
---
Nitpick comments:
In @.github/workflows/branch-protection-check.yml:
- Around line 72-76: The script hardcodes BRANCH="master" which can be
incorrect; change BRANCH to use the repository's actual default branch (e.g.
BRANCH="${{ github.event.repository.default_branch }}" or fetch via the GitHub
API/gh CLI) and update any log text if needed; replace the hardcoded BRANCH
assignment in the section that sets REPO/BRANCH so the verification uses the
real default branch instead of "master".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 9b21519e-4fdb-4fd8-8f47-f3a8956153c9
📒 Files selected for processing (3)
.github/dependabot.yml.github/workflows/branch-protection-check.yml.github/workflows/dependabot-auto-merge.yml
Comment on lines
+89
to
+93
| elif [[ "$http_code" -ne 200 ]]; then | ||
| echo "Warning: Could not fetch branch protection settings (HTTP $http_code)" | ||
| echo "This may be due to insufficient permissions. Skipping branch protection validation." | ||
| echo "Response: $protection_json" | ||
| else |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat .github/workflows/branch-protection-check.ymlRepository: openshift/ocm-agent
Length of output: 4862
Set all_present=false when API requests fail with permission or server errors.
On non-200/non-404 HTTP responses, all_present remains unchanged, allowing the job to report "Branch protection validation passed" without actually validating any settings. For a weekly health check, permission and API failures should mark the validation as incomplete.
Suggested fix
elif [[ "$http_code" -ne 200 ]]; then
- echo "Warning: Could not fetch branch protection settings (HTTP $http_code)"
- echo "This may be due to insufficient permissions. Skipping branch protection validation."
+ echo "Could not fetch branch protection settings (HTTP $http_code)"
echo "Response: $protection_json"
+ all_present=falseAlso applies to lines 134-139 where the validation status is checked.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/branch-protection-check.yml around lines 89 - 93, The
branch-protection check currently leaves the flag all_present unchanged on
non-200/non-404 HTTP responses, which can falsely report success; update the
handling in the HTTP error branches (where http_code and protection_json are
used) to set all_present=false when the API returns any error (non-200 and
non-404) and ensure the same change is applied to the analogous block around
lines checking validation status (the second HTTP-response handling block
referenced in the comment). Specifically, when echoing the warning/response for
permission or server errors, also set all_present=false so the final branch
protection validation logic correctly treats API failures as incomplete.
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tkong-redhat The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #231 +/- ##
=======================================
Coverage 55.67% 55.67%
=======================================
Files 23 23
Lines 1895 1895
=======================================
Hits 1055 1055
Misses 785 785
Partials 55 55 🚀 New features to boost your workflow:
|
tkong-redhat
force-pushed
the
add-dependabot-automerge
branch
2 times, most recently
from
89089a8 to
ad5bf99
Compare
Contributor
Author
|
/retest |
Contributor
|
All PipelineRuns for this commit have already succeeded. Use |
tkong-redhat
force-pushed
the
add-dependabot-automerge
branch
from
ad5bf99 to
fe2d342
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/dependabot-auto-merge.yml (1)
28-32: Either enforce labels here or remove the gate.Line 31 hardcodes
has-required-labels=true, so every downstreamhas-required-labelscondition is effectively dead code. If labels are meant to be part of the safety gate, read them from the pull request payload; otherwise remove this flag so the workflow doesn’t imply a safeguard it never enforces.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/dependabot-auto-merge.yml around lines 28 - 32, The "Check PR Labels" step (id: check-labels) currently hardcodes the output variable has-required-labels=true which bypasses any real label gating; update this step to either (A) compute has-required-labels by reading the PR labels from the GitHub context/payload (e.g., use github event JSON or gh/gh-api to check for required labels and set has-required-labels accordingly) and write that computed value to $GITHUB_OUTPUT, or (B) remove the echo that sets has-required-labels entirely so downstream conditions do not incorrectly imply a label safety gate.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 34-49: The check-critical step currently does substring matching
against DEPENDENCY which is a comma-separated string, causing false positives
(e.g., "go" matching "aws-sdk-go-v2"). Change the logic in the check-critical
job: split DEPENDENCY into an array of exact tokens (e.g., using IFS=',' read
-ra DEPS) and then compare each token exactly against entries in
CRITICAL_PACKAGES (use equality test like [[ "$dep" == "$pkg" ]] with whitespace
trimmed) instead of substring matching; keep the existing CRITICAL_PACKAGES list
and preserve emitting is_critical_update and the warning when an exact match is
found.
- Line 17: Replace the condition that uses github.actor to detect Dependabot PRs
with the PR author field: change the workflow if expression that currently reads
"github.actor == 'dependabot[bot]'" to use "github.event.pull_request.user.login
== 'dependabot[bot]'" (keep the existing github.repository ==
'openshift/ocm-agent' check) so the job correctly identifies PRs authored by
Dependabot even when a maintainer triggers the workflow.
---
Nitpick comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 28-32: The "Check PR Labels" step (id: check-labels) currently
hardcodes the output variable has-required-labels=true which bypasses any real
label gating; update this step to either (A) compute has-required-labels by
reading the PR labels from the GitHub context/payload (e.g., use github event
JSON or gh/gh-api to check for required labels and set has-required-labels
accordingly) and write that computed value to $GITHUB_OUTPUT, or (B) remove the
echo that sets has-required-labels entirely so downstream conditions do not
incorrectly imply a label safety gate.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: ad127b67-4ed7-4b21-9343-919300f55183
📒 Files selected for processing (1)
.github/workflows/dependabot-auto-merge.yml
Contributor
Author
|
/retest |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/dependabot-auto-merge.yml (1)
28-33: Label check is a stub—consider implementing actual validation or removing the step.This step always outputs
has-required-labels=truewithout inspecting actual PR labels. If label validation is intended (e.g., ensuringarea/dependencyandok-to-testfrom your Dependabot config), implement the check. If not needed, consider removing the step and its downstream references to reduce complexity.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/dependabot-auto-merge.yml around lines 28 - 33, The "Check PR Labels" step (id: check-labels) currently always sets has-required-labels=true; replace it with real validation that reads PR labels (via github.event.pull_request.labels or the GitHub API) and sets the output has-required-labels only when required labels like "area/dependency" and "ok-to-test" are present, or else fail/skip as your workflow requires; alternatively, remove the "Check PR Labels" step and any downstream references to needs.check-labels.outputs.has-required-labels if label gating is not needed to simplify the workflow.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 65-69: The bash conditional is comparing the literal string
"steps.check-go-version.outputs.go-version-bumped" instead of the actual output;
replace the literal with a GitHub Actions expression that expands the output of
the check-go-version step (the output key go-version-bumped from step name
check-go-version), ensure the expression is quoted and compared to 'true' inside
the if [[ ... ]] test so the condition evaluates correctly and Go version bumps
are detected.
---
Nitpick comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 28-33: The "Check PR Labels" step (id: check-labels) currently
always sets has-required-labels=true; replace it with real validation that reads
PR labels (via github.event.pull_request.labels or the GitHub API) and sets the
output has-required-labels only when required labels like "area/dependency" and
"ok-to-test" are present, or else fail/skip as your workflow requires;
alternatively, remove the "Check PR Labels" step and any downstream references
to needs.check-labels.outputs.has-required-labels if label gating is not needed
to simplify the workflow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: b0fa2aa3-10be-4e6d-ae0e-8389981556c3
📒 Files selected for processing (1)
.github/workflows/dependabot-auto-merge.yml
tkong-redhat
force-pushed
the
add-dependabot-automerge
branch
from
0b4b6bf to
52dca16
Compare
ravitri
reviewed
Apr 23, 2026
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (2)
.github/workflows/dependabot-auto-merge.yml (2)
53-83:⚠️ Potential issue | 🟠 MajorMatch critical dependencies as exact comma-separated tokens.
dependency-namesis a comma-separated list perdependabot/fetch-metadatadocs: https://github.com/dependabot/fetch-metadata. The substring test on Lines 74-75 can still false-positive, e.g.k8s.io/apimatchingk8s.io/apimachinery, which blocks safe grouped updates.Suggested fix
for pkg in "${CRITICAL_PACKAGES[@]}"; do - if [[ "$DEPENDENCY" == *"$pkg"* ]]; then - echo "is_critical_update=true" >> $GITHUB_OUTPUT - echo "⚠️ Critical package detected: $pkg" - exit 0 - fi + while IFS= read -r dep; do + if [[ "$dep" == "$pkg" ]]; then + echo "is_critical_update=true" >> $GITHUB_OUTPUT + echo "⚠️ Critical package detected: $pkg" + exit 0 + fi + done < <(printf '%s\n' "$DEPENDENCY" | tr ',' '\n' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//') done🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/dependabot-auto-merge.yml around lines 53 - 83, The substring check on DEPENDENCY can false-positive; change the check in the check-critical step to treat DEPENDENCY (the steps.metadata.outputs.dependency-names value) as comma-separated tokens and match CRITICAL_PACKAGES as exact tokens rather than substrings—e.g., split DEPENDENCY on commas (or use a regex/word-boundary check) and compare each token to each entry in the CRITICAL_PACKAGES array, so names like "k8s.io/apimachinery" won't match "k8s.io/api".
17-17:⚠️ Potential issue | 🟡 MinorUse the PR author, not the triggering actor, for the Dependabot guard.
Line 17 still skips Dependabot PRs when a maintainer triggers
reopenedorready_for_review, becausegithub.actorbecomes that maintainer. GitHub’s Dependabot automation examples usegithub.event.pull_request.user.loginfor this check: https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actionsSuggested fix
- if: github.actor == 'dependabot[bot]' && github.repository == 'openshift/ocm-agent' + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'openshift/ocm-agent'🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/dependabot-auto-merge.yml at line 17, Update the Dependabot guard condition so it checks the PR author rather than the triggering actor: replace the current if condition that uses "github.actor == 'dependabot[bot]'" with a check against the pull request author login (github.event.pull_request.user.login) while keeping the repository check (github.repository == 'openshift/ocm-agent'); modify the if expression used in the workflow step (the line with the Dependabot guard) to use github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'openshift/ocm-agent' so reopened/ready_for_review events triggered by maintainers no longer block Dependabot PRs.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 34-51: The check-go-version step currently assigns GO_DIFF using
an invalid gh pr diff invocation ("gh pr diff ... -- go.mod") which returns
empty due to unsupported pathspec; update the GO_DIFF assignment in the
check-go-version job to use a valid diff flag (e.g., gh pr diff --patch ${{
github.event.pull_request.number }}) and then filter that output for go.mod
hunks (for example use awk or grep to extract file headers and context lines for
"go.mod" and the "+go " / "-go " lines), so that the existing logic reading
GO_DIFF, OLD_GO, and NEW_GO correctly detects version bumps; keep the rest of
the check-go-version block (echoing go-version-bumped and messages) unchanged.
---
Duplicate comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 53-83: The substring check on DEPENDENCY can false-positive;
change the check in the check-critical step to treat DEPENDENCY (the
steps.metadata.outputs.dependency-names value) as comma-separated tokens and
match CRITICAL_PACKAGES as exact tokens rather than substrings—e.g., split
DEPENDENCY on commas (or use a regex/word-boundary check) and compare each token
to each entry in the CRITICAL_PACKAGES array, so names like
"k8s.io/apimachinery" won't match "k8s.io/api".
- Line 17: Update the Dependabot guard condition so it checks the PR author
rather than the triggering actor: replace the current if condition that uses
"github.actor == 'dependabot[bot]'" with a check against the pull request author
login (github.event.pull_request.user.login) while keeping the repository check
(github.repository == 'openshift/ocm-agent'); modify the if expression used in
the workflow step (the line with the Dependabot guard) to use
github.event.pull_request.user.login == 'dependabot[bot]' && github.repository
== 'openshift/ocm-agent' so reopened/ready_for_review events triggered by
maintainers no longer block Dependabot PRs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 7f0f3025-4af5-482a-a0f2-2163582a45ca
📒 Files selected for processing (2)
.github/dependabot.yml.github/workflows/dependabot-auto-merge.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/dependabot.yml
tkong-redhat
force-pushed
the
add-dependabot-automerge
branch
from
9fa71e1 to
1af14b1
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/dependabot-auto-merge.yml (1)
106-115: Avoid the extra REST round-trip — the PR node ID is already in the event payload.
github.event.pull_request.node_idis populated forpull_requestevents, so thecurl+jqlookup (and its failure handling) can be removed.♻️ Suggested simplification
- PR_NODE_ID=$(curl -s \ - -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer $GH_TOKEN" \ - "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}" \ - | jq -r '.node_id') - - if [[ -z "$PR_NODE_ID" || "$PR_NODE_ID" == "null" ]]; then - echo "❌ Failed to fetch PR node ID" - exit 1 - fi + PR_NODE_ID="${{ github.event.pull_request.node_id }}"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/dependabot-auto-merge.yml around lines 106 - 115, Replace the extra REST call that computes PR_NODE_ID by removing the curl/jq block and instead read the already-populated event field github.event.pull_request.node_id directly into PR_NODE_ID; update any null/empty checks to reference that value and remove the redundant failure handling around the curl request so the script uses the event payload's node_id (PR_NODE_ID) without the extra round-trip.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 144-170: The two comment steps can both run for a semver-major
critical package; make their if conditions mutually exclusive so only one posts:
update the "Comment on Critical Dependency Version Updates" if-condition
(steps.check-critical.outputs.is_critical_update) to also require that
steps.metadata.outputs.update-type != 'version-update:semver-major' (or
conversely add && steps.check-critical.outputs.is_critical_update != 'true' to
the "Comment on Major Version Updates" condition) so a PR with both
is_critical_update == 'true' and update-type == 'version-update:semver-major'
only triggers the critical-path comment; target the if expressions referencing
steps.check-labels.outputs.has-required-labels,
steps.check-critical.outputs.is_critical_update, and
steps.metadata.outputs.update-type when making the change.
- Around line 28-32: The "Check PR Labels" step currently unconditionally sets
has-required-labels=true without inspecting github.event.pull_request.labels;
update that step to actually read and verify labels (e.g., ensure required
labels like "area/dependency" or "ok-to-test" exist) by iterating over
github.event.pull_request.labels and setting has-required-labels to true only
when the required label(s) are present, otherwise set it false; use the step id
check-labels and the output variable has-required-labels so downstream if
conditions rely on it correctly reflect the PR's labels.
---
Nitpick comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 106-115: Replace the extra REST call that computes PR_NODE_ID by
removing the curl/jq block and instead read the already-populated event field
github.event.pull_request.node_id directly into PR_NODE_ID; update any
null/empty checks to reference that value and remove the redundant failure
handling around the curl request so the script uses the event payload's node_id
(PR_NODE_ID) without the extra round-trip.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 52783ed2-dccc-40c8-9bc6-de758123a78a
📒 Files selected for processing (2)
.github/dependabot.yml.github/workflows/dependabot-auto-merge.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/dependabot.yml
tkong-redhat
force-pushed
the
add-dependabot-automerge
branch
from
1af14b1 to
29af9cb
Compare
Contributor
|
@tkong-redhat: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Member
|
/rebase |
Member
|
/retest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
(bug/feature/cleanup/documentation/test/refactor)
What this PR does / why we need it?
Which Jira/Github issue(s) this PR fixes?
Fixes #
Special notes for your reviewer:
Pre-checks (if applicable):
make generatecommand locally to validate code changesSummary by CodeRabbit
Chores
New Features
Bug Fixes