Add Dependabot auto approve workflow (#286)

Zeitsperre · web-flow · commit d2bab960c5af · 2026-01-15T15:21:24.000Z
## Overview Changes: * Added a workflow for automatically approving and merging **patch** and **minor** Dependabot updates. * Reduced the frequency of updates (now "quarterly") ## Related Issue / Discussion I've configured a method of Dependabot gaining an access token via the Birdhouse Helper Bot. This secret is only accessible to Pull Requests opened by Dependabot. This workflow has been implemented for Ouranos repositories without issues. ## Additional Information This change is being made to address the following announcement: > Beginning January 27, 2026, Dependabot will no longer support the https://github.com/dependabot merge command. Please use GitHub's native pull request controls instead. Please see the [changelog announcement](https://github.blog/changelog/2025-10-06-upcoming-changes-to-github-dependabot-pull-request-comment-commands/) for additional details.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -6,22 +6,27 @@
 version: 2
 updates:
   - package-ecosystem: github-actions
-    directory: /
+    directory: /.github/workflows
     schedule:
-      interval: monthly
+      interval: "quarterly"
     groups:
       actions:
         patterns:
           - "*"
+        update-types:
+          - patch
+          - minor
+          - major
 
   - package-ecosystem: pip
     directory: /
     schedule:
-      interval: monthly
+      interval: "quarterly"
     groups:
-      ci:
-        patterns:
-          - "CI/*"
       python:
         patterns:
           - "requirements*.txt"
+        update-types:
+          - patch
+          - minor
+          - major
diff --git a/.github/workflows/auto-accept-ci-changes.yml b/.github/workflows/auto-accept-ci-changes.yml
@@ -0,0 +1,79 @@
+name: Dependabot CI Updates
+
+on:
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - synchronize
+
+permissions:
+  contents: read
+
+jobs:
+  dependabot-auto-approve:
+    name: Auto-approve and auto-merge safe Dependabot updates
+    runs-on: ubuntu-latest
+    if: >
+      github.event.pull_request.user.login == 'dependabot[bot]' &&
+      contains(github.event.pull_request.labels.*.name, 'dependencies')
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+
+      - name: Generate GitHub App token
+        id: token_generator
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        with:
+          app-id: ${{ secrets.BIRDHOUSE_HELPER_BOT_ID }}
+          private-key: ${{ secrets.BIRDHOUSE_HELPER_BOT_KEY }}
+
+      - name: Fetch Dependabot metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
+        with:
+          github-token: ${{ steps.token_generator.outputs.token }}
+
+      - name: Stop workflow if not minor update or patch update
+        id: skip-condition
+        if: >
+          steps.dependabot-metadata.outputs.update-type != 'version-update:semver-minor' &&
+          steps.dependabot-metadata.outputs.update-type != 'version-update:semver-patch'
+        run: |
+          echo "Not a minor or patch update; skipping auto-approval."
+          echo "skip=true" >> $GITHUB_OUTPUT
+
+      - name: Checkout Repository
+        if: steps.skip-condition.outputs.skip != 'true'
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+          token: ${{ steps.token_generator.outputs.token }}
+
+      - name: Approve Changes
+        if: steps.skip-condition.outputs.skip != 'true'
+        run: |
+          decision="$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)"
+          if [ "$decision" != "APPROVED" ]; then
+            gh pr review --approve "$PR_URL"
+          else
+            echo "PR already approved: skipping approval."
+          fi
+        env:
+          GITHUB_TOKEN: ${{ steps.token_generator.outputs.token }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+
+      - name: Enable auto-merge on Pull Request
+        if: steps.skip-condition.outputs.skip != 'true'
+        run: |
+          gh pr merge --auto --merge "$PR_URL"
+        env:
+          GITHUB_TOKEN: ${{ steps.token_generator.outputs.token }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
