Add Dependabot auto-merge workflows (ROSA-745)

[MitaliBhalla]

Summary

Dependabot auto-merge for routine updates (ROSA-745 / ROSAENG-751), aligned with openshift/backplane-cli (SREP-2438).

Changes

• dependabot-auto-merge.yml: auto-merge patch/minor/digest after required CI; majors manual. Uses pull_request_target (no PR checkout), validated GraphQL/REST/comment responses.
• branch-protection-check.yml: weekly verification of Dependabot config and workflows.

Notes

• dependabot[bot] + openshift org only.
• Requires ci/prow/* checks (DPP-20685).

Test plan

• Required CI green
• Review YAML

Made with Cursor

Summary by CodeRabbit

• Chores
  • Added automation to verify branch protection and Dependabot configuration on a regular schedule.
  • Added Dependabot pull-request management that auto-enables merging for patch and minor updates and posts guidance for major-version updates requiring manual review.
  • Improved reporting when auto-merge attempts succeed or encounter errors.

[coderabbitai]

Walkthrough

Adds a Dependabot auto-merge workflow that enables squash auto-merge for safe updates and posts notices for major updates, plus a scheduled/manual validation workflow that verifies the Dependabot config and the auto-merge workflow structure.

Changes

Dependabot Automation Workflows

Layer / File(s)	Summary
Branch Protection Validation Workflow .github/workflows/branch-protection-check.yml	Weekly scheduled/manual workflow that validates .github/dependabot.yml and .github/workflows/dependabot-auto-merge.yml, failing when files are missing or structurally invalid.
Auto-merge workflow header & permissions .github/workflows/dependabot-auto-merge.yml	Workflow name, pull_request_target triggers, runtime and job permissions; restricts execution to Dependabot PRs in the openshift owner.
Enable auto-merge for safe updates .github/workflows/dependabot-auto-merge.yml	Fetches Dependabot metadata, retrieves PR node_id via REST, calls GraphQL enablePullRequestAutoMerge (SQUASH) for semver patch/minor, sets auto_merge_enabled output, and posts a status comment on GraphQL failure.
Major version update comment .github/workflows/dependabot-auto-merge.yml	Detects semver major updates, de-duplicates existing comments, and posts a one-time manual-review notice comment.
Log auto-merge decision .github/workflows/dependabot-auto-merge.yml	Final step always runs to log whether auto-merge was enabled or disabled based on update-type and prior outputs.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and specifically describes the main change: adding Dependabot auto-merge workflows, which aligns with the two workflow files added (dependabot-auto-merge.yml and branch-protection-check.yml).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds GitHub Actions workflow files only (.github/workflows/*.yml); contains no Ginkgo tests (It(), Describe(), etc.), so the check is not applicable.
Test Structure And Quality	✅ Passed	This PR adds only GitHub Actions workflow YAML files, not Ginkgo test code. The check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only GitHub Actions workflow files (YAML), not Ginkgo e2e tests. Check is not applicable since no It(), Describe(), Context(), or When() test patterns were introduced.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only GitHub Actions workflows, not Ginkgo e2e tests. The check applies only to Ginkgo test patterns like It(), Describe(), Context(), which are not present.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only GitHub Actions workflow files (.github/workflows/), not Kubernetes manifests or operator code. No scheduling constraints or cluster topology dependencies introduced.
Ote Binary Stdout Contract	✅ Passed	PR adds only YAML GitHub Actions workflows. OTE Binary Stdout Contract applies to Go process-level code (main, init, klog), not workflow files. No applicable code found.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added. PR only adds GitHub Actions workflow YAML files (branch-protection-check.yml, dependabot-auto-merge.yml), not test code. Check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign rafael-azevedo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/dependabot-auto-merge.yml (1)

105-106: 💤 Low value

Inconsistent error handling for comment failures.

The auto-merge step suppresses comment failures with || true (line 105), while the major version step fails the job if commenting fails (lines 131-135). This inconsistency could mask issues where auto-merge failed and the fallback notification also failed silently.

Consider making the behavior consistent—either both should warn without failing, or both should fail the job.

Also applies to: 131-135

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml around lines 105 - 106, The two
comment steps are inconsistent: the auto-merge step currently appends "|| true"
to ignore failures while the major-version step lets comment failures fail the
job; decide on a consistent behavior and apply it to both places—either remove
the "|| true" from the auto-merge comment command so failures bubble up (so both
fail the job), or add "|| true" to the comment command(s) in the major-version
step (lines referencing the major version comment command) so both only warn;
update the shell commands that post comments (the ones with "|| true" and the
major-version comment command) accordingly and ensure the same error-handling
pattern is used in both steps.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 3-5: The workflow currently triggers on pull_request_target with
types: [opened, synchronize, reopened, ready_for_review], causing duplicate bot
comments on each push; either remove "synchronize" from that types array to stop
re-running on PR pushes, or, if you need synchronize, add a pre-post check in
the job that posts comments to first query existing PR comments for the bot's
marker (author or a unique comment signature) and skip posting when a matching
comment already exists; look for the trigger block "on: pull_request_target" and
the types array and the step that creates comments (the comment-posting action)
to implement the chosen fix.
- Around line 27-30: Update the GitHub Actions conditional in the
dependabot-auto-merge workflow by removing the invalid check
'version-update:semver-digest' from the if expression (the multiline condition
using steps.metadata.outputs.update-type). Keep only the valid tokens emitted by
dependabot/fetch-metadata (e.g., 'version-update:semver-patch' and
'version-update:semver-minor' and add 'version-update:semver-major' if desired)
or otherwise adjust the condition to match your intended auto-merge policy; if
you need digest handling, manage it via dependabot.yml ignore rules instead of
adding 'version-update:semver-digest' here.

---

Nitpick comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 105-106: The two comment steps are inconsistent: the auto-merge
step currently appends "|| true" to ignore failures while the major-version step
lets comment failures fail the job; decide on a consistent behavior and apply it
to both places—either remove the "|| true" from the auto-merge comment command
so failures bubble up (so both fail the job), or add "|| true" to the comment
command(s) in the major-version step (lines referencing the major version
comment command) so both only warn; update the shell commands that post comments
(the ones with "|| true" and the major-version comment command) accordingly and
ensure the same error-handling pattern is used in both steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dbf4fc54-46e5-4c74-94de-a5b7a64cb8ad

📥 Commits

Reviewing files that changed from the base of the PR and between 9c35f69 and dea2b4e.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/branch-protection-check.yml:
- Around line 62-68: The YAML loader is converting the unquoted top-level on:
key to a boolean so wf.get("on") returns None; replace yaml.safe_load(...) with
yaml.load(..., Loader=yaml.BaseLoader) when loading the workflow (the code
around workflow_path.open() and wf = yaml.safe_load(f)) so the top-level "on"
key is preserved as a string, then keep the existing checks that call
wf.get("on") and validate pull_request_target.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 533c18bc-81c4-4b36-8d70-734d92b15158

📥 Commits

Reviewing files that changed from the base of the PR and between dea2b4e and 90dea60.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path
import yaml

wf = yaml.safe_load(Path(".github/workflows/dependabot-auto-merge.yml").read_text())
print("top-level keys:", list(wf.keys()))
print('wf.get("on") =', wf.get("on"))
print('wf.get(True) =', wf.get(True))
PY

Repository: openshift/gcp-project-operator

Length of output: 257

---

Use yaml.BaseLoader to preserve the on key as a string.

The code uses yaml.safe_load(), which treats the unquoted top-level on: key in YAML as the boolean value True rather than the string "on". This causes wf.get("on") to return None, so the validation will incorrectly reject the valid workflow file. The workflow's actual trigger configuration is stored at key True instead.

Proposed fix

           with workflow_path.open() as f:
-              wf = yaml.safe_load(f)
+              wf = yaml.load(f, Loader=yaml.BaseLoader)
           if not isinstance(wf, dict):
               fail("dependabot-auto-merge.yml must be a YAML mapping")
           on = wf.get("on")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/branch-protection-check.yml around lines 62 - 68, The YAML
loader is converting the unquoted top-level on: key to a boolean so wf.get("on")
returns None; replace yaml.safe_load(...) with yaml.load(...,
Loader=yaml.BaseLoader) when loading the workflow (the code around
workflow_path.open() and wf = yaml.safe_load(f)) so the top-level "on" key is
preserved as a string, then keep the existing checks that call wf.get("on") and
validate pull_request_target.

[MitaliBhalla]

On hold — pausing this per-repo workflow rollout while we switch to the boilerplate / MintMaker (Renovate) path for ROSA-745. Please do not merge; we will close or reopen after the platform PR lands.