Hi all,

As expected, the introduction of required reviews and required checks has made our "automatically merge Dependabot PRs" workflow less automatic. Currently, for each Dependabot PR:

  * The commit that adds a changelog entry does not trigger the build workflow and therefore fails the required checks. Amending the commit manually (which would trigger the workflow) isn't possible through the GitHub UI.
  * A review is required.
  * We must merge the PR manually once all checks pass.

That said, these new security restrictions don’t necessarily mean more manual work. There are ways we can streamline the process:

  * Dependabot Grouping: We can enable the grouping feature to consolidate updates into a single weekly PR. While our current changelog script doesn’t handle multiple updates per PR, I’ve created a custom GitHub Action[1] that does.   * Auto-merge Support: GitHub’s auto_merge feature can automatically merge Dependabot PRs once all required checks and reviews are satisfied. My recent update to .asf.yaml enables this.   * Workflow Triggering with PAT: We can request a personal access token (PAT) from INFRA to use in our changelog-adding workflow. Unlike GITHUB_TOKEN, a PAT will trigger required workflows.

I’d like to get your thoughts on a couple of related suggestions:

  * Migrating ppkarwasz/logging-actions to an Apache Logging repo — either as part of logging-parent or as a standalone repo. I'm not sure if such GitHub Actions would require a formal ASF release process.   * Requesting a PAT from INFRA to be used in workflows that modify Dependabot PRs (e.g., to add changelog entries and trigger builds).

Let me know what you think!

Piotr

[1] https://github.com/ppkarwasz/logging-actions
[2] https://github.com/apache/infrastructure-asfyaml/pull/66

Reply via email to