Add Dependabot auto-merge workflow and migration script #466
Conversation
This resets cookiecutter/migrate.py to match .github/cookiecutter-migrate.template.py, removing all previous migration steps to prepare for new migrations. Signed-off-by: Mathias L. Baumann <[email protected]>
github-actions
bot
added
the
part:template
Marenz
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR adds Dependabot auto-merge functionality to streamline dependency updates. It creates a GitHub Actions workflow to automatically merge Dependabot PRs and updates the migration script to create this workflow and disable the CODEOWNERS review requirement for automated merges.
Key changes:
- Added new
auto-dependabot.yamlworkflow for automatic Dependabot PR merging - Updated migration script to create the workflow and modify GitHub ruleset settings
- Added/updated lockfile (
uv.lock) with project dependencies
Reviewed Changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| uv.lock | Added complete dependency lockfile with pinned versions |
| auto-dependabot.yaml (multiple) | New GitHub Actions workflow for auto-merging Dependabot PRs |
| cookiecutter/migrate.py | Refactored migration script to create auto-merge workflow and disable CODEOWNERS requirement |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Auto-merge Dependabot PR | ||
| uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2 # noqa: E501 |
There was a problem hiding this comment.
The inline # noqa: E501 comment to suppress line length warnings is included in the workflow template string. This will appear in the generated workflow file, which is unnecessary and pollutes the output. The noqa comment should only be in the Python source, not in the template string itself. Consider breaking the line or removing the noqa from the template.
| uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2 # noqa: E501 | |
| uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2 |
| print(f"Created Dependabot auto-merge workflow at {workflow_file}") | ||
|
|
||
|
|
||
| def disable_codeowners_review_requirement() -> None: # noqa: C901 |
There was a problem hiding this comment.
The function has a complexity warning (C901) that's being suppressed. The function is quite long (103 lines) with multiple nested try-except blocks and conditionals. Consider refactoring this into smaller, more focused functions (e.g., get_default_branch(), find_version_branch_ruleset(), update_ruleset()) to improve readability and maintainability.
cookiecutter/migrate.py
Outdated
| - name: Auto-merge Dependabot PR | ||
| uses: frequenz-floss/dependabot-auto-approve@3cad5f42e79296505473325ac6636be897c8b8a1 # v1.3.2 # noqa: E501 | ||
| with: | ||
| github-token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %} |
There was a problem hiding this comment.
The Jinja2 {% raw %} tags are used here, but they're inconsistent with the actual workflow files generated in the test golden outputs (lines 18 in the test files). The test files show the GitHub Actions variable without Jinja2 escaping. This suggests the template rendering might not work as expected, or the test fixtures are incorrect. Verify that the Jinja2 raw tags are necessary and working correctly in the cookiecutter context.
| github-token: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} |
|
|
||
| def disable_codeowners_review_requirement() -> None: # noqa: C901 | ||
| """Disable CODEOWNERS review requirement in GitHub repository ruleset.""" | ||
| import json # pylint: disable=import-outside-toplevel |
There was a problem hiding this comment.
[nitpick] The json module import is placed inside the function. While this might be intentional to avoid import overhead for migration steps that don't need it, json is a standard library module with minimal import cost. Consider moving this to the top-level imports for better code organization and consistency, as the performance benefit is negligible.
| print(f"Failed to update GitHub ruleset: {e}") | ||
| print("You may need to manually disable the CODEOWNERS review requirement.") | ||
| except Exception as e: # pylint: disable=broad-exception-caught | ||
| print(f"Error updating ruleset: {e}") |
There was a problem hiding this comment.
The broad exception handler catches all exceptions but provides a generic error message. This makes debugging difficult when unexpected errors occur. Consider logging the exception traceback or at least the exception type to provide more useful diagnostic information: print(f'Error updating ruleset ({type(e).__name__}): {e}').
| print(f"Error updating ruleset: {e}") | |
| print(f"Error updating ruleset ({type(e).__name__}): {e}") |
Marenz
force-pushed
the
auto-dependabot-merge
branch
from
7000fbf to
3759886
Compare
|
This PR shows the changes created by the migration script: https://github.com/frequenz-io/frequenz-actor-fcr/pull/494#pullrequestreview-3449407238 |
- Add create_dependabot_auto_merge_workflow() to create .github/workflows/auto-dependabot.yaml - Add disable_codeowners_review_requirement() to update GitHub ruleset via API - Add auto-dependabot.yaml workflow template to cookiecutter - Regenerate golden test files with UPDATE_GOLDEN=1 Signed-off-by: Mathias L. Baumann <[email protected]>
Marenz
force-pushed
the
auto-dependabot-merge
branch
from
3759886 to
12291ef
Compare
1 participant
Summary
frequenz-floss/dependabot-auto-approveactionChanges
First commit: Reset
cookiecutter/migrate.pyto template, removing old migration stepsSecond commit:
create_dependabot_auto_merge_workflow()functiondisable_codeowners_review_requirement()function to update GitHub rulesets