ci: add merge queue support and 7-day Dependabot auto-merge soak period (#53)

pbertsch · web-flow · commit 1e40cc377b9c · 2026-04-02T06:42:22.000-06:00
- Add merge_group trigger to ci.yml and codeql.yml so CI runs on
  merge queue branches (required for queue to function)
- Remove immediate auto-merge from dependabot-compat.yml; keep approve only
- Add dependabot-automerge.yml: scheduled daily job that enables auto-merge
  on Dependabot PRs that are &gt;= 7 days old, approved, and not yet queued
- Major version updates still require manual review
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,6 +5,7 @@ on:
     branches: [main, develop]
   pull_request:
     branches: [main]
+  merge_group:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -5,6 +5,7 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
+  merge_group:
   schedule:
     - cron: '30 2 * * 1'
 
diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml
@@ -0,0 +1,64 @@
+name: Dependabot Auto-merge (7-day soak)
+
+# Runs daily. For any open Dependabot PR that is >= 7 days old, approved, and
+# has passing CI — enables auto-merge so the merge queue picks it up.
+
+on:
+  schedule:
+    - cron: '0 9 * * *'  # 09:00 UTC daily
+  workflow_dispatch:      # allow manual trigger for testing
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  automerge:
+    name: Auto-merge
+    runs-on: ubuntu-latest
+    steps:
+      - name: Merge eligible Dependabot PRs
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+        run: |
+          SEVEN_DAYS_AGO=$(date -u -d '7 days ago' '+%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || \
+                           date -u -v-7d '+%Y-%m-%dT%H:%M:%SZ')
+
+          echo "Looking for Dependabot PRs opened before $SEVEN_DAYS_AGO ..."
+
+          gh pr list \
+            --repo "$REPO" \
+            --author "app/dependabot" \
+            --state open \
+            --json number,title,createdAt,reviewDecision,autoMergeRequest \
+            | jq -c '.[]' \
+            | while IFS= read -r pr; do
+                NUMBER=$(echo "$pr" | jq -r '.number')
+                TITLE=$(echo "$pr"  | jq -r '.title')
+                CREATED=$(echo "$pr" | jq -r '.createdAt')
+                REVIEW=$(echo "$pr"  | jq -r '.reviewDecision')
+                ALREADY=$(echo "$pr" | jq -r '.autoMergeRequest')
+
+                # Skip if already queued for auto-merge
+                if [ "$ALREADY" != "null" ]; then
+                  echo "PR #$NUMBER — already has auto-merge set, skipping"
+                  continue
+                fi
+
+                # Skip if not yet approved
+                if [ "$REVIEW" != "APPROVED" ]; then
+                  echo "PR #$NUMBER — not approved yet ($REVIEW), skipping"
+                  continue
+                fi
+
+                # Skip if less than 7 days old
+                if [[ "$CREATED" > "$SEVEN_DAYS_AGO" ]]; then
+                  echo "PR #$NUMBER — opened $CREATED, not yet 7 days old, skipping"
+                  continue
+                fi
+
+                echo "PR #$NUMBER ($TITLE) — eligible, enabling auto-merge"
+                gh pr merge --auto --squash "$NUMBER" --repo "$REPO" || \
+                  echo "PR #$NUMBER — auto-merge failed (may already be queued)"
+              done
diff --git a/.github/workflows/dependabot-compat.yml b/.github/workflows/dependabot-compat.yml
@@ -254,8 +254,11 @@ jobs:
           }
           echo "✓ No incompatible npm licenses detected"
 
-  # ---- Auto-approve and auto-merge safe updates ----
-  auto-merge:
+  # ---- Auto-approve safe updates ----
+  # Auto-merge is intentionally NOT triggered here — the 7-day soak period is
+  # enforced by dependabot-automerge.yml (scheduled daily). Major updates are
+  # left for manual review regardless.
+  auto-approve:
     name: Auto-merge
     needs: [go-compat, npm-compat, actions-compat, security, license]
     if: |
@@ -273,15 +276,9 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Approve PR
-        run: gh pr review --approve "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Auto-merge patch and minor updates
+      - name: Approve patch and minor updates
         if: steps.metadata.outputs.update-type != 'version-update:semver-major'
-        run: gh pr merge --auto --squash "$PR_URL"
+        run: gh pr review --approve "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
