Add Dependabot auto-merge workflows (ROSA-745)

[MitaliBhalla]

Summary

Dependabot auto-merge for routine updates (ROSA-745 / ROSAENG-751), aligned with openshift/backplane-cli (SREP-2438).

Changes

• dependabot-auto-merge.yml: auto-merge patch/minor/digest after required CI; majors manual. Uses pull_request_target (no PR checkout), validated GraphQL/REST/comment responses.
• branch-protection-check.yml: weekly verification of Dependabot config and workflows.

Notes

• dependabot[bot] + openshift org only.
• Requires ci/prow/* checks (DPP-20685).

Test plan

• Required CI green
• Review YAML

Made with Cursor

Summary by CodeRabbit

• New Features
  • Automatic merge for patch and minor dependency update pull requests to speed routine maintenance; major updates require manual review and a warning.
• Chores
  • Added a scheduled and on-demand repository configuration check that validates required configuration and reports a summary of findings.

[coderabbitai]

Walkthrough

Adds two GitHub Actions workflows: a scheduled branch-protection check validating Dependabot and workflow YAML, and a Dependabot auto-merge workflow that enables squash auto-merge for patch/minor updates and posts warnings for major updates.

Changes

Dependabot Automation and Validation

Layer / File(s)	Summary
Branch Protection Configuration Validation .github/workflows/branch-protection-check.yml	Workflow runs weekly and on manual dispatch to verify .github/dependabot.yml exists and logs a configuration summary, and verifies required auto-merge workflow files are present, failing if either check does not pass.
Auto-merge workflow triggers and permissions .github/workflows/dependabot-auto-merge.yml	Workflow metadata: name, PR trigger event types, pull_request_target usage, and job permissions for enabling auto-merge and posting comments.
Safe-update auto-merge implementation .github/workflows/dependabot-auto-merge.yml	Handles version-update:semver-patch and version-update:semver-minor: fetches Dependabot metadata, retrieves PR node_id, calls GitHub GraphQL to enable squash auto-merge, validates the response, and posts a deduplicated status comment on failure; sets auto_merge_enabled output.
Major-update warning and deduped comment .github/workflows/dependabot-auto-merge.yml	Handles version-update:semver-major by listing existing PR comments to avoid duplicates and posting a deduplicated warning comment that auto-merge is disabled and manual review is required.
Final auto-merge decision logging .github/workflows/dependabot-auto-merge.yml	Prints the final auto-merge decision for patch/minor/major update types and provides a fallback message for other update types.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding Dependabot auto-merge workflows, which aligns with both workflow files added (.dependabot-auto-merge.yml and .branch-protection-check.yml).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds GitHub Actions workflow YAML files, not Ginkgo tests. Test files use standard Go testing package, not Ginkgo. Custom check applies only to Ginkgo tests, making it inapplicable here.
Test Structure And Quality	✅ Passed	The PR modifies only GitHub Actions workflow YAML files (.github/workflows/*), not Ginkgo test code. The custom check for Ginkgo test quality is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only GitHub Actions workflow files, not Ginkgo e2e tests. The MicroShift compatibility check applies only to e2e test code.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only GitHub Actions workflow YAML files (.github/workflows/), not Ginkgo e2e tests. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only GitHub Actions workflows (.github/workflows/*.yml), not Kubernetes manifests or operator code. Topology-aware scheduling check does not apply to CI/CD automation files.
Ote Binary Stdout Contract	✅ Passed	OTE Binary Stdout Contract is not applicable—PR adds only GitHub Actions workflows, not Go test code containing main(), init(), TestMain(), or Ginkgo setup.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR adds only GitHub Actions workflow configuration files (.yml), not Ginkgo e2e tests. The IPv6 check applies only to new Go e2e tests, so it is not applicable here.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign theautoroboto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/branch-protection-check.yml:
- Around line 16-17: The workflow uses a floating action ref "uses:
actions/checkout@v4" and leaves persisted credentials enabled; update the
checkout step to use a pinned reference (preferably an exact tag or commit SHA
instead of `@v4`) and disable persisted credentials by setting the checkout step's
"persist-credentials" input to false so the action is both pinned and does not
leak repository credentials (locate the checkout step that currently uses
actions/checkout@v4).
- Around line 66-68: The validator currently reads on = wf.get("on") and assumes
the workflow key is the string "on", but YAML may parse an unquoted on: as
boolean True so wf.get("on") can be None; change the lookup to check both keys
(e.g., prefer "on" if present, else check for True) before validating type and
presence of "pull_request_target". Update the logic around the wf variable where
on is fetched so it sets on = wf.get("on") or wf.get(True) (or equivalent
key-existence check), then keep the existing type check and
fail("dependabot-auto-merge.yml must use pull_request_target trigger") when on
is not a dict or missing "pull_request_target".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3326300a-4c5e-4c32-9030-f3e56be835b7

📥 Commits

Reviewing files that changed from the base of the PR and between 4219f59 and f29985c.

📒 Files selected for processing (2)

• .github/workflows/branch-protection-check.yml
• .github/workflows/dependabot-auto-merge.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# Verify checkout refs and credential persistence settings in workflows
rg -n -C2 'uses:\s*actions/checkout@' .github/workflows/*.yml
rg -n -C2 'persist-credentials' .github/workflows/*.yml

Repository: openshift/managed-velero-operator

Length of output: 457

---

Pin actions/checkout and disable persisted credentials.

Line 17 uses a floating action ref (@v4), and checkout persists credentials by default. This is a workflow hardening gap and may violate pinned-action compliance policies.

Suggested patch

       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@<full-length-commit-sha>
+        with:
+          persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/branch-protection-check.yml around lines 16 - 17, The
workflow uses a floating action ref "uses: actions/checkout@v4" and leaves
persisted credentials enabled; update the checkout step to use a pinned
reference (preferably an exact tag or commit SHA instead of `@v4`) and disable
persisted credentials by setting the checkout step's "persist-credentials" input
to false so the action is both pinned and does not leak repository credentials
(locate the checkout step that currently uses actions/checkout@v4).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
python3 -m pip install --quiet pyyaml
python3 <<'PY'
from pathlib import Path
import yaml
wf = yaml.safe_load(Path(".github/workflows/dependabot-auto-merge.yml").read_text())
print("Top-level keys:", list(wf.keys())[:5])
print("'on' key exists:", "on" in wf)
print("True key exists:", True in wf)
PY

Repository: openshift/managed-velero-operator

Length of output: 176

---

🏁 Script executed:

fd "branch-protection-check.yml" --type f

Repository: openshift/managed-velero-operator

Length of output: 59

---

🏁 Script executed:

cat -n ".github/workflows/branch-protection-check.yml"

Repository: openshift/managed-velero-operator

Length of output: 4239

---

🏁 Script executed:

# Check the dependabot-auto-merge.yml file to see the actual structure
cat -n ".github/workflows/dependabot-auto-merge.yml"

Repository: openshift/managed-velero-operator

Length of output: 11820

---

Fix on trigger parsing in the validator script.

With yaml.safe_load, unquoted workflow key on: is parsed as boolean True, so wf.get("on") returns None and valid workflows fail this check. The validator needs to check for the boolean key as a fallback.

Suggested patch

-          on = wf.get("on")
-          if not isinstance(on, dict) or "pull_request_target" not in on:
+          on_section = wf.get("on")
+          if on_section is None and True in wf:
+              on_section = wf[True]
+          if not isinstance(on_section, dict) or "pull_request_target" not in on_section:
               fail("dependabot-auto-merge.yml must use pull_request_target trigger")

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	on = wf.get("on")
	if not isinstance(on, dict) or "pull_request_target" not in on:
	fail("dependabot-auto-merge.yml must use pull_request_target trigger")
	on_section = wf.get("on")
	if on_section is None and True in wf:
	on_section = wf[True]
	if not isinstance(on_section, dict) or "pull_request_target" not in on_section:
	fail("dependabot-auto-merge.yml must use pull_request_target trigger")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/branch-protection-check.yml around lines 66 - 68, The
validator currently reads on = wf.get("on") and assumes the workflow key is the
string "on", but YAML may parse an unquoted on: as boolean True so wf.get("on")
can be None; change the lookup to check both keys (e.g., prefer "on" if present,
else check for True) before validating type and presence of
"pull_request_target". Update the logic around the wf variable where on is
fetched so it sets on = wf.get("on") or wf.get(True) (or equivalent
key-existence check), then keep the existing type check and
fail("dependabot-auto-merge.yml must use pull_request_target trigger") when on
is not a dict or missing "pull_request_target".

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.