Skip to content

Add runbook for Dependabot PR auto-merge workflow #1177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ryz310 merged 2 commits into from
Feb 24, 2026
Merged

Add runbook for Dependabot PR auto-merge workflow #1177

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7630d10
Add runbook for Dependabot PR auto-merge workflow
ryz310 Feb 24, 2026
9f0f212
Merge branch 'master' into codex/dependabot-pr-runbook
ryz310 Feb 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,3 +76,6 @@
- Propose a KPT retrospective when a task reaches a completion point, such as after creating a Pull Request.
- Based on the KPT results, propose updates to `AGENTS.md`.
- The timing of the retrospective may be decided by Codex when it is appropriate.

## Runbook
- Dependabot PR review and auto-merge operation steps are documented in `docs/runbooks/dependabot_pr_auto_merge.md`.
68 changes: 68 additions & 0 deletions docs/runbooks/dependabot_pr_auto_merge.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
# Dependabot PR Review and Auto-Merge Runbook

## Purpose
This runbook standardizes how to review Dependabot pull requests for GitHub Actions updates and safely enable auto-merge.

## Scope
- Target: Dependabot PRs that update GitHub Actions versions (for example, `actions/upload-artifact`).
- Primary workflow file in this repository: `.github/workflows/ci.yml`.

## Prerequisites
- `gh` CLI is authenticated and can access `ryz310/my_api_client`.
- You have permission to comment on and merge PRs.
- Branch protection rules and required checks are configured on GitHub.

## Step-by-step
1. Open PR metadata and changed files.

```bash
gh pr view <PR_NUMBER> --json number,title,author,baseRefName,headRefName,files,body
```

2. Review the exact diff and identify action version changes.

```bash
gh pr diff <PR_NUMBER>
```

3. Compare old and new action versions and summarize impact.
- Focus on major version changes and runtime requirements (Node version, runner minimum version, breaking changes).
- For `actions/upload-artifact`, verify compatibility notes in the official release notes.

4. Enable auto-merge with squash merge.

```bash
gh pr merge <PR_NUMBER> --auto --squash
```

5. Check merge state.

```bash
gh pr view <PR_NUMBER> --json state,mergeStateStatus,autoMergeRequest
```

6. If state is `BEHIND`, request Dependabot rebase.

```bash
gh pr comment <PR_NUMBER> --body "@dependabot rebase"
```

7. Re-check status until the branch is up to date and required checks pass.

```bash
gh pr view <PR_NUMBER> --json state,mergeStateStatus,statusCheckRollup,autoMergeRequest
```

## Done criteria
- `autoMergeRequest` is enabled.
- `mergeStateStatus` is not `BEHIND`.
- Required CI checks are green.
- PR is merged automatically, or clearly waiting only on pending required checks.

## Failure handling
- If rebase does not start, re-run comment:
- `@dependabot rebase`
- If checks fail, inspect failing jobs and decide:
- fix in a follow-up PR, or
- close/ignore that update version with Dependabot commands.
- If the update introduces breaking changes, disable auto-merge and switch to manual review with explicit test evidence.
Loading