-
Notifications
You must be signed in to change notification settings - Fork 35
feat: experimental AI-assisted Dependabot auto-merge agent #1229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
Changes from 2 commits
71e68d4
89e6a61
a2033ca
7ec1e33
127a3cd
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| # Experimental AI-assisted auto-merge for low-risk Dependabot PRs. See #1228 for | ||
| # the policy, prerequisites (repo vars AWS_ROLE_ARN/AWS_REGION + auto-merge | ||
| # settings), and security rationale. The agent is API-only and never runs PR code. | ||
| name: Dependabot auto-merge (experimental) | ||
|
|
||
| on: | ||
| pull_request_target: | ||
| types: [labeled] | ||
|
|
||
| permissions: {} | ||
|
|
||
| jobs: | ||
| automerge: | ||
| # pull_request_target gives a write token; gate it tightly to Dependabot. | ||
| if: >- | ||
| github.event.label.name == 'dependencies' && | ||
| github.event.pull_request.user.login == 'dependabot[bot]' | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 20 | ||
| permissions: | ||
| id-token: write # assume the Bedrock OIDC role | ||
| contents: write # GitHub performs the eventual merge | ||
| pull-requests: write # approve, comment, label, enable auto-merge | ||
| steps: | ||
| # Checks out this base repo (the pull_request_target default), not the PR head. | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: 24 | ||
|
|
||
| - name: Assume Bedrock role (OIDC) | ||
| uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 | ||
| with: | ||
| role-to-assume: ${{ vars.AWS_ROLE_ARN }} | ||
| aws-region: ${{ vars.AWS_REGION }} | ||
|
|
||
| # Agent fetched at run time, not vendored into this .NET tree. Workflow | ||
| # context passes through env (never interpolated into the shell). | ||
| - name: Run dependabot-automerge agent | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| REPO: ${{ github.repository }} | ||
| PR_NUMBER: ${{ github.event.pull_request.number }} | ||
| run: | | ||
| npx --yes degit hjgraca/agentic-sdlc/examples/github-pr-label-actions ./.pr-agent | ||
|
Check warning on line 45 in .github/workflows/dependabot_automerge.yml
|
||
| cd ./.pr-agent | ||
| npm ci | ||
|
Check warning on line 47 in .github/workflows/dependabot_automerge.yml
|
||
|
github-advanced-security[bot] marked this conversation as resolved.
Fixed
|
||
| ./node_modules/.bin/flue run pr-label-actions \ | ||
| --input "$(printf '{"message":"Act on GitHub PR %s#%s (dependencies label)."}' "$REPO" "$PR_NUMBER")" | ||
Uh oh!
There was an error while loading. Please reload this page.