Modernize automerge workflow to match cli-web-* template #10

Closed
opened 2026-05-23 20:55:40 +00:00 by coilysiren · 1 comment
Owner

Originally filed by @coilysiren on 2026-05-15T01:42:52Z - https://github.com/coilysiren/website/issues/1375

Problem - .github/workflows/automerge.yml is the older shape: dependabot/fetch-metadata@v1, on: pull_request, no patch/minor filter. Newer repos (cli-web-docs, cli-web-ops) ship dependabot-auto-merge.yml with the v2 metadata action, pull_request_target trigger, and a version-update:semver-patch || semver-minor gate.

Why it matters - the v1 fetch-metadata action is deprecated. The pull_request_target trigger lets the workflow run with write permissions on first-time-contributor PRs, which matters once dependabot's token scoping tightens. The patch/minor filter prevents unattended major-version merges.

Acceptance

  • Replace automerge.yml with the dependabot-auto-merge.yml from cli-web-docs/.github/workflows/dependabot-auto-merge.yml verbatim (or near-verbatim).
  • Delete the old automerge.yml in the same commit.
  • Confirm a dependabot PR (next patch bump that lands) auto-merges as expected.
_Originally filed by @coilysiren on 2026-05-15T01:42:52Z - [https://github.com/coilysiren/website/issues/1375](https://github.com/coilysiren/website/issues/1375)_ **Problem** - `.github/workflows/automerge.yml` is the older shape: `dependabot/fetch-metadata@v1`, `on: pull_request`, no patch/minor filter. Newer repos (`cli-web-docs`, `cli-web-ops`) ship `dependabot-auto-merge.yml` with the v2 metadata action, `pull_request_target` trigger, and a `version-update:semver-patch || semver-minor` gate. **Why it matters** - the v1 fetch-metadata action is deprecated. The `pull_request_target` trigger lets the workflow run with write permissions on first-time-contributor PRs, which matters once dependabot's token scoping tightens. The patch/minor filter prevents unattended major-version merges. **Acceptance** - Replace `automerge.yml` with the `dependabot-auto-merge.yml` from `cli-web-docs/.github/workflows/dependabot-auto-merge.yml` verbatim (or near-verbatim). - Delete the old `automerge.yml` in the same commit. - Confirm a dependabot PR (next patch bump that lands) auto-merges as expected.
Author
Owner

Backlog burndown 2026-06-17: closing low-priority (P3/P4) to bring the open count to a manageable level. Nothing lost — reopen if this resurfaces. Batch tag: burndown-2026-06.

Backlog burndown 2026-06-17: closing low-priority (P3/P4) to bring the open count to a manageable level. Nothing lost — reopen if this resurfaces. Batch tag: `burndown-2026-06`.
coilysiren 2026-06-17 08:24:04 +00:00
Sign in to join this conversation.
No description provided.