From ff4340f27596d359e0e467dcf08ca7e305b88bc1 Mon Sep 17 00:00:00 2001 From: MitaliBhalla Date: Tue, 9 Dec 2025 08:30:08 +0530 Subject: [PATCH 1/4] fix: improve dependabot auto-merge workflow - Add missing checkout step to fix 'fatal: not a git repository' error - Add required permissions (metadata: read, actions: read) for auto-merge - Improve error handling with GitHub API and graceful fallback behavior - Add informative comments to PRs when auto-merge fails due to permissions - Ensure workflow doesn't fail when auto-merge permissions are insufficient Fixes dependabot auto-merge workflow failures and provides better user experience. --- .github/workflows/dependabot-auto-merge.yml | 28 +++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 5ae39774..85f745b5 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -50,8 +50,32 @@ jobs: echo "Previous version: ${{ steps.metadata.outputs.previous-version }}" echo "New version: ${{ steps.metadata.outputs.new-version }}" - # Enable auto-merge with merge commit strategy - gh pr merge --auto --merge "${{ github.event.pull_request.number }}" + # Enable auto-merge using GitHub API + response=$(curl -s -w "%{http_code}" -o /tmp/response.json \ + -X PUT \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/merge" \ + -d '{"merge_method":"merge"}') + + if [[ "$response" -eq 200 ]]; then + echo "✅ Auto-merge enabled successfully" + cat /tmp/response.json + else + echo "❌ Failed to enable auto-merge. HTTP status: $response" + echo "Response body:" + cat /tmp/response.json + echo "::warning::Could not enable auto-merge due to permissions. PR labeled for manual review." + + # Add a comment to the PR explaining the situation + curl -X POST \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \ + -d '{"body":"🤖 **Dependabot Auto-Merge Status**\n\nThis PR meets the criteria for auto-merge but could not be automatically merged due to repository permissions.\n\n**Details:**\n- Update type: ${{ steps.metadata.outputs.update-type }}\n- Dependencies: ${{ steps.metadata.outputs.dependency-names }}\n- Previous version: ${{ steps.metadata.outputs.previous-version }}\n- New version: ${{ steps.metadata.outputs.new-version }}\n\nPlease review and merge manually if appropriate."}' + fi env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 47c752f37702daa2bfa2124033b815b76c46c420 Mon Sep 17 00:00:00 2001 From: MitaliBhalla Date: Tue, 9 Dec 2025 08:38:43 +0530 Subject: [PATCH 2/4] fix: restrict dependabot workflow to upstream repository only - Add repository check to prevent workflow from running on forks - Fixes unwanted failure notifications on personal forks - Ensures workflow only runs on openshift/backplane-cli where intended --- .github/workflows/dependabot-auto-merge.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 85f745b5..8dd94499 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -14,8 +14,8 @@ permissions: jobs: auto-merge: runs-on: ubuntu-latest - # Only run for Dependabot PRs - if: github.actor == 'dependabot[bot]' + # Only run for Dependabot PRs on the upstream repository (not forks) + if: github.actor == 'dependabot[bot]' && github.repository == 'openshift/backplane-cli' steps: - name: Checkout code uses: actions/checkout@v4 From 4a2455d541574a9bd8b61cb59221879ee9a51142 Mon Sep 17 00:00:00 2001 From: MitaliBhalla Date: Tue, 9 Dec 2025 09:36:56 +0530 Subject: [PATCH 3/4] security: improve token handling in dependabot workflow - Use environment variable reference instead of direct secret interpolation - Add explicit comments about automatic token masking - Add silent flag to curl commands to reduce log verbosity - Addresses security concerns about token exposure in public repo logs Co-authored-by: feichashao --- .github/workflows/dependabot-auto-merge.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 8dd94499..7ab04650 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -50,11 +50,11 @@ jobs: echo "Previous version: ${{ steps.metadata.outputs.previous-version }}" echo "New version: ${{ steps.metadata.outputs.new-version }}" - # Enable auto-merge using GitHub API + # Enable auto-merge using GitHub API (token is automatically masked in logs) response=$(curl -s -w "%{http_code}" -o /tmp/response.json \ -X PUT \ -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + -H "Authorization: Bearer $GH_TOKEN" \ -H "X-GitHub-Api-Version: 2022-11-28" \ "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/merge" \ -d '{"merge_method":"merge"}') @@ -68,10 +68,10 @@ jobs: cat /tmp/response.json echo "::warning::Could not enable auto-merge due to permissions. PR labeled for manual review." - # Add a comment to the PR explaining the situation - curl -X POST \ + # Add a comment to the PR explaining the situation (token is automatically masked) + curl -s -X POST \ -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + -H "Authorization: Bearer $GH_TOKEN" \ -H "X-GitHub-Api-Version: 2022-11-28" \ "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \ -d '{"body":"🤖 **Dependabot Auto-Merge Status**\n\nThis PR meets the criteria for auto-merge but could not be automatically merged due to repository permissions.\n\n**Details:**\n- Update type: ${{ steps.metadata.outputs.update-type }}\n- Dependencies: ${{ steps.metadata.outputs.dependency-names }}\n- Previous version: ${{ steps.metadata.outputs.previous-version }}\n- New version: ${{ steps.metadata.outputs.new-version }}\n\nPlease review and merge manually if appropriate."}' From e8bbd0e5192bbb40642d183e260bf28ebddf8d22 Mon Sep 17 00:00:00 2001 From: MitaliBhalla Date: Mon, 22 Dec 2025 10:20:55 +0530 Subject: [PATCH 4/4] refactor: remove API version header from GitHub API calls - Remove X-GitHub-Api-Version header to avoid version binding - GitHub REST API is backward compatible and version header is optional - Simplifies API calls and reduces maintenance overhead --- .github/workflows/dependabot-auto-merge.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 7ab04650..283294bd 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -55,7 +55,6 @@ jobs: -X PUT \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer $GH_TOKEN" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ "https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/merge" \ -d '{"merge_method":"merge"}') @@ -72,7 +71,6 @@ jobs: curl -s -X POST \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer $GH_TOKEN" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \ -d '{"body":"🤖 **Dependabot Auto-Merge Status**\n\nThis PR meets the criteria for auto-merge but could not be automatically merged due to repository permissions.\n\n**Details:**\n- Update type: ${{ steps.metadata.outputs.update-type }}\n- Dependencies: ${{ steps.metadata.outputs.dependency-names }}\n- Previous version: ${{ steps.metadata.outputs.previous-version }}\n- New version: ${{ steps.metadata.outputs.new-version }}\n\nPlease review and merge manually if appropriate."}' fi