Add migration steps for Dependabot auto-merge and CODEOWNERS

- Add create_dependabot_auto_merge_workflow() to create .github/workflows/auto-dependabot.yaml
- Add disable_codeowners_review_requirement() to update GitHub ruleset via API
- Add auto-dependabot.yaml workflow template to cookiecutter
- Regenerate golden test files with UPDATE_GOLDEN=1

Signed-off-by: Mathias L. Baumann <[email protected]>

Author: Marenz

cookiecutter/migrate.py

@@ -32,10 +32,156 @@ def main() -> None:
     """Run the migration steps."""
     # Add a separation line like this one after each migration step.
     print("=" * 72)
+    print("Creating Dependabot auto-merge workflow...")
+    create_dependabot_auto_merge_workflow()
+    print("=" * 72)
+    print("Disabling CODEOWNERS review requirement in GitHub ruleset...")
+    disable_codeowners_review_requirement()
+    print("=" * 72)
     print("Migration script finished. Remember to follow any manual instructions.")
     print("=" * 72)
 
 
+def create_dependabot_auto_merge_workflow() -> None:
+    """Create the Dependabot auto-merge workflow file."""
+    workflow_dir = Path(".github") / "workflows"
+    workflow_dir.mkdir(parents=True, exist_ok=True)
+
+    workflow_content = """name: Auto-merge Dependabot PRs
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Auto-merge Dependabot PR
+        uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2  # noqa: E501
+        with:
+          github-token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
+          merge-method: 'merge'
+"""
+
+    workflow_file = workflow_dir / "auto-dependabot.yaml"
+    if workflow_file.exists():
+        print(f"Workflow file {workflow_file} already exists, skipping creation.")
+        return
+
+    workflow_file.write_text(workflow_content, encoding="utf-8")
+    print(f"Created Dependabot auto-merge workflow at {workflow_file}")
+
+
+def disable_codeowners_review_requirement() -> None:  # noqa: C901
+    """Disable CODEOWNERS review requirement in GitHub repository ruleset."""
+    import json  # pylint: disable=import-outside-toplevel
+
+    try:
+        result = subprocess.run(
+            ["gh", "api", "repos/:owner/:repo", "--jq", ".default_branch"],
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+        default_branch = result.stdout.strip()
+        print(f"Default branch: {default_branch}")
+    except subprocess.CalledProcessError as e:
+        print(f"Failed to get default branch: {e}")
+        print("Skipping CODEOWNERS review requirement update.")
+        print("You may need to manually disable the CODEOWNERS review requirement.")
+        return
+
+    try:
+        result = subprocess.run(
+            ["gh", "api", "repos/:owner/:repo/rulesets"],
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+
+        rulesets = json.loads(result.stdout)
+
+        version_branch_ruleset = None
+        for ruleset in rulesets:
+            if ruleset.get("name") == "Protect version branches":
+                version_branch_ruleset = ruleset
+                break
+
+        if not version_branch_ruleset:
+            print("Protect version branches ruleset not found, skipping update.")
+            print("You may need to manually disable the CODEOWNERS review requirement.")
+            return
+
+        ruleset_id = version_branch_ruleset["id"]
+        print(f"Found ruleset ID: {ruleset_id}")
+
+        result = subprocess.run(
+            ["gh", "api", f"repos/:owner/:repo/rulesets/{ruleset_id}"],
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+        ruleset_config = json.loads(result.stdout)
+
+        updated = False
+        for rule in ruleset_config.get("rules", []):
+            if rule.get("type") == "pull_request":
+                if rule.get("parameters", {}).get("require_code_owner_review"):
+                    rule["parameters"]["require_code_owner_review"] = False
+                    updated = True
+                    break
+
+        if not updated:
+            print("CODEOWNERS review requirement already disabled.")
+            return
+
+        update_payload = {
+            "name": ruleset_config["name"],
+            "target": ruleset_config["target"],
+            "enforcement": ruleset_config["enforcement"],
+            "conditions": ruleset_config["conditions"],
+            "rules": ruleset_config["rules"],
+            "bypass_actors": ruleset_config["bypass_actors"],
+        }
+
+        with tempfile.NamedTemporaryFile(mode="w", suffix=".json", delete=False) as f:
+            json.dump(update_payload, f, indent=2)
+            temp_file = f.name
+
+        try:
+            subprocess.run(
+                [
+                    "gh",
+                    "api",
+                    "-X",
+                    "PUT",
+                    f"repos/:owner/:repo/rulesets/{ruleset_id}",
+                    "--input",
+                    temp_file,
+                ],
+                capture_output=True,
+                check=True,
+            )
+            print(
+                "Successfully disabled CODEOWNERS review requirement in "
+                "GitHub ruleset."
+            )
+        finally:
+            os.unlink(temp_file)
+
+    except subprocess.CalledProcessError as e:
+        print(f"Failed to update GitHub ruleset: {e}")
+        print("You may need to manually disable the CODEOWNERS review requirement.")
+    except Exception as e:  # pylint: disable=broad-exception-caught
+        print(f"Error updating ruleset: {e}")
+        print("You may need to manually disable the CODEOWNERS review requirement.")
+
+
 def apply_patch(patch_content: str) -> None:
     """Apply a patch using the patch utility."""
     subprocess.run(["patch", "-p1"], input=patch_content.encode(), check=True)

cookiecutter/{{cookiecutter.github_repo_name}}/.github/workflows/auto-dependabot.yaml

@@ -0,0 +1,19 @@
+name: Auto-merge Dependabot PRs
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Auto-merge Dependabot PR
+        uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2
+        with:
+          github-token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %}
+          merge-method: 'merge'

tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/.github/workflows/auto-dependabot.yaml

@@ -0,0 +1,19 @@
+name: Auto-merge Dependabot PRs
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Auto-merge Dependabot PR
+        uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          merge-method: 'merge'

tests_golden/integration/test_cookiecutter_generation/api/frequenz-api-test/.github/workflows/auto-dependabot.yaml

@@ -0,0 +1,19 @@
+name: Auto-merge Dependabot PRs
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Auto-merge Dependabot PR
+        uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          merge-method: 'merge'

tests_golden/integration/test_cookiecutter_generation/app/frequenz-app-test/.github/workflows/auto-dependabot.yaml

@@ -0,0 +1,19 @@
+name: Auto-merge Dependabot PRs
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Auto-merge Dependabot PR
+        uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          merge-method: 'merge'

tests_golden/integration/test_cookiecutter_generation/lib/frequenz-test-python/.github/workflows/auto-dependabot.yaml

@@ -0,0 +1,19 @@
+name: Auto-merge Dependabot PRs
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Auto-merge Dependabot PR
+        uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          merge-method: 'merge'

tests_golden/integration/test_cookiecutter_generation/model/frequenz-model-test/.github/workflows/auto-dependabot.yaml

@@ -0,0 +1,19 @@
+name: Auto-merge Dependabot PRs
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Auto-merge Dependabot PR
+        uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          merge-method: 'merge'