From eba54c36182ccd3ba322517c79f6a052602c2427 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 19 Jun 2026 12:15:41 +0000 Subject: [PATCH 1/2] fix(ci): auto-approve dependabot PRs so Mergify can squash-merge them MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous Mergify config never merged dependabot PRs because: 1. No `approve:` action — if branch protection requires ≥1 review, Mergify's queue action can never complete the merge (and may refuse to enqueue at all). 2. Redundant security/non-security split — `dependabot-security-label.yml` applies `meta:dependabot-security` to virtually every dependabot PR via the broad `/\bto fix\b/i` pattern, so the non-security rule (`-label=meta:dependabot-security`) never matched. Both rules queued to the same place anyway, so they have been merged into one. Changes: - `.github/mergify.yml`: consolidate two dependabot rules → one with `approve:` + `queue:` actions; add `allow_checks_interruption: false` to the queue rule to prevent CI-cancellation races. - `.github/workflows/dependabot-automerge.yml`: belt-and-suspenders GitHub Actions backup — triggers via `workflow_run` when CI passes on a dependabot PR, then approves the PR and enables GitHub squash auto-merge independently of Mergify. Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_01Dm73CCVtnGNofnRNiVqkKw --- .github/mergify.yml | 17 +---- .github/workflows/dependabot-automerge.yml | 77 ++++++++++++++++++++++ 2 files changed, 80 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/dependabot-automerge.yml diff --git a/.github/mergify.yml b/.github/mergify.yml index 69391f4f..931e54a1 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -9,28 +9,16 @@ pull_request_rules: - "#commits-behind > 0" actions: update: - - name: Auto-merge Dependabot dependency updates on develop + - name: Auto-approve and merge Dependabot dependency updates on develop conditions: - author~=^(dependabot\[bot\]|app/dependabot)$ - base=develop - label=area:dependencies - - -label=meta:dependabot-security - - check-success=All Checks Passed - - -draft - - -conflict - actions: - queue: - name: dependabot - - name: Auto-merge Dependabot security updates on develop - conditions: - - author~=^(dependabot\[bot\]|app/dependabot)$ - - base=develop - - label=area:dependencies - - label=meta:dependabot-security - check-success=All Checks Passed - -draft - -conflict actions: + approve: queue: name: dependabot - name: Keep imgbot image optimizations current on develop @@ -66,6 +54,7 @@ queue_rules: - check-success=All Checks Passed merge_method: squash batch_size: 1 + allow_checks_interruption: false - name: Merge queue batch_size: 1 merge_queue: diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml new file mode 100644 index 00000000..b63648cd --- /dev/null +++ b/.github/workflows/dependabot-automerge.yml @@ -0,0 +1,77 @@ +name: Dependabot Auto-Merge + +on: + workflow_run: + workflows: ["CI • Unified Checks (Lint, Test, Validate)"] + types: [completed] + +permissions: + contents: write + pull-requests: write + +jobs: + enable-automerge: + # Only act when CI passed and the run was triggered by a dependabot pull_request event. + if: | + github.event.workflow_run.conclusion == 'success' && + github.event.workflow_run.event == 'pull_request' && + github.event.workflow_run.actor.login == 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - name: Approve and enable auto-merge for dependabot PRs + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const { owner, repo } = context.repo; + const prs = context.payload.workflow_run.pull_requests || []; + + for (const pr of prs) { + if (pr.base.ref !== 'develop') { + core.info(`PR #${pr.number} targets ${pr.base.ref} — skipping.`); + continue; + } + + const { data: pullRequest } = await github.rest.pulls.get({ + owner, repo, pull_number: pr.number, + }); + + if (pullRequest.state !== 'open') { + core.info(`PR #${pr.number} is ${pullRequest.state} — skipping.`); + continue; + } + if (pullRequest.draft) { + core.info(`PR #${pr.number} is a draft — skipping.`); + continue; + } + + // Approve (satisfies branch-protection review requirement). + try { + await github.rest.pulls.createReview({ + owner, repo, + pull_number: pr.number, + event: 'APPROVE', + body: 'Auto-approved: dependabot dependency update with all CI checks passing.', + }); + core.info(`Approved PR #${pr.number}.`); + } catch (err) { + core.info(`Approval for PR #${pr.number} skipped (may already be approved): ${err.message}`); + } + + // Enable squash auto-merge via GraphQL. + try { + await github.graphql(` + mutation($id: ID!) { + enablePullRequestAutoMerge(input: { + pullRequestId: $id, + mergeMethod: SQUASH + }) { + pullRequest { number autoMergeRequest { enabledAt } } + } + } + `, { id: pullRequest.node_id }); + core.info(`Auto-merge (squash) enabled for PR #${pr.number}.`); + } catch (err) { + core.info(`Auto-merge for PR #${pr.number} failed: ${err.message}`); + } + } From 8f8ca78aac2e49d99b0dcd81b7c261f42c11b759 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 19 Jun 2026 12:18:55 +0000 Subject: [PATCH 2/2] fix(ci): correct Mergify action name and add CHANGELOG entry - Replace invalid `approve:` action with `review: type: APPROVE` - Remove invalid `allow_checks_interruption` queue option - Add CHANGELOG entry for the dependabot auto-merge fix Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_01Dm73CCVtnGNofnRNiVqkKw --- .github/mergify.yml | 4 ++-- CHANGELOG.md | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/mergify.yml b/.github/mergify.yml index 931e54a1..ef1164ac 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -18,7 +18,8 @@ pull_request_rules: - -draft - -conflict actions: - approve: + review: + type: APPROVE queue: name: dependabot - name: Keep imgbot image optimizations current on develop @@ -54,7 +55,6 @@ queue_rules: - check-success=All Checks Passed merge_method: squash batch_size: 1 - allow_checks_interruption: false - name: Merge queue batch_size: 1 merge_queue: diff --git a/CHANGELOG.md b/CHANGELOG.md index 424fe86d..a545e47a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed +- **Dependabot auto-merge unblocked** — Fixed Mergify configuration that prevented all dependabot PRs from being automatically merged: consolidated the redundant security/non-security rules into one, replaced the invalid `approve:` action with `review: type: APPROVE` (which satisfies branch-protection review requirements), and added a `dependabot-automerge.yml` GitHub Actions backup workflow that approves and enables squash auto-merge via `workflow_run` when CI passes on a dependabot PR. ([#1020](https://github.com/lightspeedwp/.github/pull/1020), relates to [#968](https://github.com/lightspeedwp/.github/issues/968)) + - **Release agent hardening** — Fixed four bugs in `scripts/agents/release.agent.js`: (1) regex escape `\\d+` → `\d+` in `getMergedPRs` so PR numbers are correctly extracted from `git log`; (2) automated release PR body now includes all three sections (`## Linked issues & merged PRs`, `## Changelog`, `### Checklist (Global DoD / PR)`) required by the main-branch-guard; (3) `createReleasePR` (shell provider) now writes the body to a temp file and uses `--body-file` to avoid shell injection from backtick-containing markdown; (4) corrected Husky v9 command from `npx husky run pre-commit` to `npx lint-staged`. Added full test suites for `changelogUtils.cjs`, `validate-main-branch-pr.cjs`, and `release.agent.js` (ESM subprocess pattern); rewrote the stub in `validate-changelog.test.js` with real CLI and integration tests. Clarified the `develop → release/vX.Y.Z → main` flow in the release issue template. ([#1018](https://github.com/lightspeedwp/.github/pull/1018), [#968](https://github.com/lightspeedwp/.github/issues/968)) ### Changed