Hi all,
As expected, the introduction of required reviews and required checks
has made our "automatically merge Dependabot PRs" workflow less
automatic. Currently, for each Dependabot PR:
* The commit that adds a changelog entry does not trigger the build
workflow and therefore fails the required checks. Amending the commit
manually (which would trigger the workflow) isn't possible through the
GitHub UI.
* A review is required.
* We must merge the PR manually once all checks pass.
That said, these new security restrictions don’t necessarily mean more
manual work. There are ways we can streamline the process:
* Dependabot Grouping: We can enable the grouping feature to
consolidate updates into a single weekly PR. While our current changelog
script doesn’t handle multiple updates per PR, I’ve created a custom
GitHub Action[1] that does.
* Auto-merge Support: GitHub’s auto_merge feature can automatically
merge Dependabot PRs once all required checks and reviews are satisfied.
My recent update to .asf.yaml enables this.
* Workflow Triggering with PAT: We can request a personal access
token (PAT) from INFRA to use in our changelog-adding workflow. Unlike
GITHUB_TOKEN, a PAT will trigger required workflows.
I’d like to get your thoughts on a couple of related suggestions:
* Migrating ppkarwasz/logging-actions to an Apache Logging repo —
either as part of logging-parent or as a standalone repo. I'm not sure
if such GitHub Actions would require a formal ASF release process.
* Requesting a PAT from INFRA to be used in workflows that modify
Dependabot PRs (e.g., to add changelog entries and trigger builds).
Let me know what you think!
Piotr
[1] https://github.com/ppkarwasz/logging-actions
[2] https://github.com/apache/infrastructure-asfyaml/pull/66