Thanks for chasing this Piotr. Given the recently stagnating Log4j maintainer time, the workflow of verifying dependabot PRs, adding associated changelog entries, and automatically merging upon success was a big time saver for us. I'd really appreciate it if we can bring it back.
In GHA workflows, we refer to a reusable as simple as `<org|user>/<repo>@<ref>`. Given this will only be used by a `logging-parent` reusable workflow, can't we place these sources to the `.github/actions` folder in `logging-parent`, and access it from there? If you say PAT will solve the workflow triggering issue, please proceed with creating the associated INFRA ticket. (I'd appreciate it if you can tag me there so that I can follow its implementation.) On Sat, May 10, 2025 at 10:32 PM Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote: > Hi all, > > As expected, the introduction of required reviews and required checks > has made our "automatically merge Dependabot PRs" workflow less > automatic. Currently, for each Dependabot PR: > > * The commit that adds a changelog entry does not trigger the build > workflow and therefore fails the required checks. Amending the commit > manually (which would trigger the workflow) isn't possible through the > GitHub UI. > * A review is required. > * We must merge the PR manually once all checks pass. > > That said, these new security restrictions don’t necessarily mean more > manual work. There are ways we can streamline the process: > > * Dependabot Grouping: We can enable the grouping feature to > consolidate updates into a single weekly PR. While our current changelog > script doesn’t handle multiple updates per PR, I’ve created a custom > GitHub Action[1] that does. > * Auto-merge Support: GitHub’s auto_merge feature can automatically > merge Dependabot PRs once all required checks and reviews are satisfied. > My recent update to .asf.yaml enables this. > * Workflow Triggering with PAT: We can request a personal access > token (PAT) from INFRA to use in our changelog-adding workflow. Unlike > GITHUB_TOKEN, a PAT will trigger required workflows. > > I’d like to get your thoughts on a couple of related suggestions: > > * Migrating ppkarwasz/logging-actions to an Apache Logging repo — > either as part of logging-parent or as a standalone repo. I'm not sure > if such GitHub Actions would require a formal ASF release process. > * Requesting a PAT from INFRA to be used in workflows that modify > Dependabot PRs (e.g., to add changelog entries and trigger builds). > > Let me know what you think! > > Piotr > > [1] https://github.com/ppkarwasz/logging-actions > [2] https://github.com/apache/infrastructure-asfyaml/pull/66 >
