fix(ci): auto-approve dependabot PRs so Mergify can squash-merge them#1020
Conversation
The previous Mergify config never merged dependabot PRs because: 1. No `approve:` action — if branch protection requires ≥1 review, Mergify's queue action can never complete the merge (and may refuse to enqueue at all). 2. Redundant security/non-security split — `dependabot-security-label.yml` applies `meta:dependabot-security` to virtually every dependabot PR via the broad `/\bto fix\b/i` pattern, so the non-security rule (`-label=meta:dependabot-security`) never matched. Both rules queued to the same place anyway, so they have been merged into one. Changes: - `.github/mergify.yml`: consolidate two dependabot rules → one with `approve:` + `queue:` actions; add `allow_checks_interruption: false` to the queue rule to prevent CI-cancellation races. - `.github/workflows/dependabot-automerge.yml`: belt-and-suspenders GitHub Actions backup — triggers via `workflow_run` when CI passes on a dependabot PR, then approves the PR and enables GitHub squash auto-merge independently of Mergify. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Dm73CCVtnGNofnRNiVqkKw
|
✅ Template check passed after update. Thanks for fixing the PR description. |
|
Warning Review limit reached
More reviews will be available in 16 minutes and 1 second. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request simplifies the Mergify configuration by combining Dependabot dependency and security updates into a single auto-approve and merge rule, and sets allow_checks_interruption: false in the queue rules. Feedback points out that the approve action is invalid in Mergify and should be replaced with the review action with type: APPROVE.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| - -draft | ||
| - -conflict | ||
| actions: | ||
| approve: |
There was a problem hiding this comment.
Mergify does not support an approve action directly. To automatically approve a pull request, you must use the review action with type: APPROVE.
review:
type: APPROVE
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 📃 Configuration Change RequirementsWonderful, this rule succeeded.Mergify configuration change
|
🔍 Reviewer Summary for PR #1020CI Status: ❌ Recommendations
|
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@Mergifyio queue |
1 similar comment
|
@Mergifyio queue |
☑️ Command
|
Merge Queue Status
Waiting for
All conditions
|
- Replace invalid `approve:` action with `review: type: APPROVE` - Remove invalid `allow_checks_interruption` queue option - Add CHANGELOG entry for the dependabot auto-merge fix Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Dm73CCVtnGNofnRNiVqkKw
github-actions
Bot
added
status:needs-review
github-actions
Bot
added this to the
Release v0.6.0 — Community Health, Governance Docs, and Meta Agent Foundations milestone
Metadata governance
|
github-actions
Bot
added
area:documentation
2 participants
Linked issues
relates to #968
Summary
developrequires ≥1 approved review; without an approval Mergify's queue can never complete the squash-merge.approve:is not a valid Mergify action. The correct action isreview: type: APPROVE.dependabot-security-label.ymlappliesmeta:dependabot-securityto virtually every dependabot PR via the broad/\bto fix\b/ipattern. Both rules queued to the samedependabotqueue anyway, so they are merged into one.dependabot-automerge.ymlworkflow triggers viaworkflow_runwhen CI passes on a dependabot PR, independently approves the PR, and enables GitHub's native squash auto-merge.Changelog
approve:withreview: type: APPROVEdependabot-automerge.ymlworkflow: auto-approve + enable squash auto-merge when CI passes on dependabot PRsChecklist (Global DoD / PR)
{type}/{scope}-{title}conventionspectral lint)