Add Dependabot auto-merge workflows (ROSA-745)

[MitaliBhalla]

Summary

Dependabot auto-merge for routine updates (ROSA-745 / ROSAENG-751), aligned with openshift/backplane-cli (SREP-2438).

Changes

• dependabot-auto-merge.yml: auto-merge patch/minor/digest after required CI; majors manual. Uses pull_request_target (no PR checkout), validated GraphQL/REST/comment responses.
• branch-protection-check.yml: weekly verification of Dependabot config and workflows.

Notes

• dependabot[bot] + openshift org only.
• Requires ci/prow/* checks (DPP-20685).

Test plan

• Required CI green
• Review YAML

Made with Cursor

Summary by CodeRabbit

• Chores
  • Added automated weekly checks to verify repository Dependabot configuration and the presence/structure of the auto-merge workflow.
  • Enabled automatic squash-merging for Dependabot patch and minor version updates; major version updates require manual review.

[coderabbitai]

Walkthrough

Adds two GitHub Actions workflows: a weekly/manual branch-protection check that validates Dependabot and auto-merge workflow files, and a dependabot-auto-merge workflow that fetches Dependabot metadata, attempts GraphQL auto-merge for safe (patch/minor) updates, comments on major updates or errors, and logs the decision.

Changes

Dependabot Automation

Layer / File(s)	Summary
Repository automation validation .github/workflows/branch-protection-check.yml	Workflow runs weekly and on manual dispatch to validate .github/dependabot.yml (version==2, non-empty updates, required fields) and the presence/shape of .github/workflows/dependabot-auto-merge.yml (must include pull_request_target, jobs.auto-merge with dependabot/fetch-metadata).
Auto-merge workflow header and metadata .github/workflows/dependabot-auto-merge.yml	Workflow trigger and permissions (pull_request_target limited to Dependabot PRs), and a pinned dependabot/fetch-metadata step that exposes update type, dependency name, and versions for downstream steps.
Enable auto-merge for safe updates .github/workflows/dependabot-auto-merge.yml	Bash step for version-update:semver-patch and version-update:semver-minor that retrieves the PR node_id, calls the enablePullRequestAutoMerge GraphQL mutation with mergeMethod: SQUASH, sets auto_merge_enabled output, and posts a single structured status comment on failure.
Major update handling .github/workflows/dependabot-auto-merge.yml	For version-update:semver-major, posts a "Major Version Update Detected" PR comment (duplicate-suppressed); comment-posting failures are tolerated and logged.
Auto-merge decision logging .github/workflows/dependabot-auto-merge.yml	Always-run logging step that reports the update type, dependency/version, and final enabled/disabled decision (enabled only for patch/minor when auto_merge_enabled=true).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding Dependabot auto-merge workflows, with the ticket reference providing context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains only GitHub Actions workflow YAML files, not Go test files. The Ginkgo test names check is not applicable.
Test Structure And Quality	✅ Passed	The custom check assesses Ginkgo test code quality, but this PR contains only GitHub Actions workflow YAML files (.github/workflows/) with no Ginkgo tests. The check is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds GitHub Actions workflows (YAML config files), not Ginkgo e2e tests. Check applies only to new Go tests with Ginkgo patterns (It, Describe, Context, etc.).
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only GitHub Actions workflow configurations (YAML files), not Ginkgo e2e tests. The SNO compatibility check applies exclusively to Go test code and is not applicable here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only GitHub Actions workflow files for CI/CD automation, not Kubernetes manifests or operator code. No scheduling constraints are introduced; check does not apply.
Ote Binary Stdout Contract	✅ Passed	PR adds only GitHub Actions workflow YAML files (.github/workflows/*.yml), not Go code. OTE Binary Stdout Contract checks only apply to Go process-level code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds GitHub Actions workflow configuration files (.yml), not Ginkgo e2e tests. Custom check only applies to new Ginkgo tests with It/Describe/Context/When blocks.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign abyrne55 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Line 22: Replace the mutable tag on the action reference so the workflow uses
the pinned commit SHA instead of `@v2`: in the step that currently has "uses:
dependabot/fetch-metadata@v2" update it to reference the full commit SHA
"d72f607e9d3fb96fc2fbe83e0af444713e90b7" (i.e., "uses:
dependabot/fetch-metadata@d72f607e...") to harden the supply chain.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c5e95c2b-d457-43ce-9bb8-dffed38a9372

📥 Commits

Reviewing files that changed from the base of the PR and between 304b109 and 8119e1e.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/branch-protection-check.yml:
- Around line 62-68: PyYAML can coerce the bare top-level "on" key to the
boolean True, so change the retrieval of the trigger to handle that case:
replace the current on = wf.get("on") with a fallback that checks for the True
key (e.g. on = wf.get("on", wf.get(True))) and keep the subsequent validation
using on and fail as-is so valid workflows using a bare on: entry are accepted.
- Around line 16-17: Update the Checkout code step that currently uses the
mutable tag "uses: actions/checkout@v4" by replacing the tag with the full v4
commit SHA from the actions/checkout releases and add the checkout input to
disable credential persistence; specifically change the actions/checkout usage
referenced in the workflow step (the "Checkout code" step) to the full commit
SHA (e.g., `@a5ac7e51b41094c153f46a9261a0be5ab68572ebb6ae6244bbf1136490427062`)
and add with: persist-credentials: false so the GITHUB_TOKEN is not left
available to later steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ccfa7e4c-744d-4cb5-9ee4-695f178ef050

📥 Commits

Reviewing files that changed from the base of the PR and between 8119e1e and 8cbccd9.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What full commit SHA should actions/checkoutv4 be pinned to in GitHub Actions workflows, and what do GitHub security best practices say about settingpersist-credentials: false when the job only needs read-only checkout?

💡 Result:

To pin actions/checkout v4 to a specific commit SHA, you should select a full-length SHA from the actions/checkout repository's commit history that corresponds to the version you intend to use [1][2]. Because tags are mutable pointers, pinning to a full commit SHA is the only way to ensure your workflow uses an immutable version of the action, protecting it against potential supply chain attacks where a tag might be updated to point to malicious code [1][2]. You can find the full SHA for any release by navigating to the actions/checkout repository on GitHub, viewing the tags or commit history, and copying the complete hash [1][2]. Regarding persist-credentials: false, GitHub security best practices strongly recommend setting this to false whenever your job does not require the ability to perform authenticated Git operations (such as git push) [3]. By default, actions/checkout sets persist-credentials: true, which configures the local Git environment with the GITHUB_TOKEN (or provided PAT) [4][5]. While the token is removed during post-job cleanup, leaving it enabled means that any subsequent step in the same job—including potentially compromised third-party actions or scripts—can access the token from the local Git configuration [6][3]. Setting persist-credentials: false prevents this configuration, thereby reducing the attack surface and adhering to the principle of least privilege [7][3].

Citations:

• 1: https://stackoverflow.com/questions/78903499/how-do-i-pin-an-action-to-a-specific-sha
• 2: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
• 3: Add persist-credentials: false to GitHub Actions checkout steps aquasecurity/trivy#10305
• 4: https://github.com/actions/checkout/blob/v4/README.md
• 5: https://github.com/actions/checkout/
• 6: Remove persist-credentials or change the default to false actions/checkout#485
• 7: Add persist-credentials: false to checkout actions for setup scripts github/gh-aw#7523

---

🏁 Script executed:

cat -n .github/workflows/branch-protection-check.yml

Repository: openshift/cloud-ingress-operator

Length of output: 4238

---

Pin actions/checkout to a commit SHA and disable credential persistence.

This scheduled workflow requires only read-only access to repository files. Pinning actions/checkout@v4 to a full commit SHA prevents supply-chain attacks via mutable tag reuse, and setting persist-credentials: false prevents the GITHUB_TOKEN from remaining available to subsequent steps, reducing token-exposure risk per GitHub security best practices.

Update the checkout step:

      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false

Replace @v4 with the full commit SHA from https://github.com/actions/checkout/releases/tag/v4 (e.g., @a5ac7e51b41094c153f46a9261a0be5ab68572ebb6ae6244bbf1136490427062).

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/branch-protection-check.yml around lines 16 - 17, Update
the Checkout code step that currently uses the mutable tag "uses:
actions/checkout@v4" by replacing the tag with the full v4 commit SHA from the
actions/checkout releases and add the checkout input to disable credential
persistence; specifically change the actions/checkout usage referenced in the
workflow step (the "Checkout code" step) to the full commit SHA (e.g.,
`@a5ac7e51b41094c153f46a9261a0be5ab68572ebb6ae6244bbf1136490427062`) and add with:
persist-credentials: false so the GITHUB_TOKEN is not left available to later
steps.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
python3 - <<'PY'
from pathlib import Path
import yaml

wf = yaml.safe_load(Path(".github/workflows/dependabot-auto-merge.yml").read_text())
print("top-level keys:", list(wf.keys()))
print('wf.get("on") ->', wf.get("on"))
print("wf.get(True) ->", wf.get(True))
PY

Repository: openshift/cloud-ingress-operator

Length of output: 261

---

Fix PyYAML's on key coercion in workflow validation.

yaml.safe_load() parses the bare top-level on: key as boolean True instead of the string "on", causing wf.get("on") to return None and the validator to incorrectly reject valid workflows.

This has been verified—the file at .github/workflows/dependabot-auto-merge.yml parses with top-level keys ['name', True, 'permissions', 'jobs'], where wf.get("on") returns None but wf.get(True) correctly returns the trigger configuration.

Suggested fix

           with workflow_path.open() as f:
               wf = yaml.safe_load(f)
           if not isinstance(wf, dict):
               fail("dependabot-auto-merge.yml must be a YAML mapping")
-          on = wf.get("on")
-          if not isinstance(on, dict) or "pull_request_target" not in on:
+          on_section = wf.get("on")
+          if on_section is None and True in wf:
+              on_section = wf[True]
+          if not isinstance(on_section, dict) or "pull_request_target" not in on_section:
               fail("dependabot-auto-merge.yml must use pull_request_target trigger")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	with workflow_path.open() as f:
	wf = yaml.safe_load(f)
	if not isinstance(wf, dict):
	fail("dependabot-auto-merge.yml must be a YAML mapping")
	on = wf.get("on")
	if not isinstance(on, dict) or "pull_request_target" not in on:
	fail("dependabot-auto-merge.yml must use pull_request_target trigger")
	with workflow_path.open() as f:
	wf = yaml.safe_load(f)
	if not isinstance(wf, dict):
	fail("dependabot-auto-merge.yml must be a YAML mapping")
	on_section = wf.get("on")
	if on_section is None and True in wf:
	on_section = wf[True]
	if not isinstance(on_section, dict) or "pull_request_target" not in on_section:
	fail("dependabot-auto-merge.yml must use pull_request_target trigger")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/branch-protection-check.yml around lines 62 - 68, PyYAML
can coerce the bare top-level "on" key to the boolean True, so change the
retrieval of the trigger to handle that case: replace the current on =
wf.get("on") with a fallback that checks for the True key (e.g. on =
wf.get("on", wf.get(True))) and keep the subsequent validation using on and fail
as-is so valid workflows using a bare on: entry are accepted.

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[MitaliBhalla]

On hold — pausing this per-repo workflow rollout while we switch to the boilerplate / MintMaker (Renovate) path for ROSA-745. Please do not merge; we will close or reopen after the platform PR lands.