ci: add auto-merge workflow with major version protection #10
Conversation
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (1)
Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. WalkthroughA new GitHub Actions workflow is introduced that automates PR merging and approvals for four distinct sources: Dependabot, Renovate, AI agents (copilot/julius/claude branch prefixes), and CodeRabbit reviews. Each source has conditional job logic using GitHub CLI commands for approving and merging PRs. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR adds an automated merge workflow that handles pull requests from various trusted sources including Dependabot, Renovate, AI agents, and CodeRabbit. The workflow aims to streamline the merge process for low-risk updates while requiring manual review for potentially breaking changes.
Changes:
- Adds auto-merge workflow with support for Dependabot (with major version protection), Renovate, AI agent branches, and CodeRabbit approvals
- Implements automatic approval and squash merging for trusted PRs
- Adds special handling to comment on major version updates requiring manual review
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| types: [completed] | ||
|
|
||
| permissions: | ||
| contents: write |
There was a problem hiding this comment.
The workflow has broad permissions (contents: write, pull-requests: write) that apply to all jobs. Following the principle of least privilege, jobs should only have the permissions they actually need. For example, the CodeRabbit job only needs to enable auto-merge (pull-requests: write) but not contents: write. Consider setting permissions at the job level instead of the workflow level to minimize the security surface area.
| contents: write | |
| contents: read |
.github/workflows/auto-merge.yml
Outdated
| startsWith(github.event.pull_request.head.ref, 'copilot/') || | ||
| startsWith(github.event.pull_request.head.ref, 'jules/') || | ||
| startsWith(github.event.pull_request.head.ref, 'claude/') |
There was a problem hiding this comment.
The AI agent job condition checks github.event.pull_request.head.ref but this may be null or undefined for some event types (like check_suite). This could cause the job to fail or be skipped unexpectedly. Consider adding a null check or ensuring that the job only runs for event types where pull_request data is guaranteed to be available.
| startsWith(github.event.pull_request.head.ref, 'copilot/') || | |
| startsWith(github.event.pull_request.head.ref, 'jules/') || | |
| startsWith(github.event.pull_request.head.ref, 'claude/') | |
| github.event.pull_request != null && | |
| ( | |
| startsWith(github.event.pull_request.head.ref, 'copilot/') || | |
| startsWith(github.event.pull_request.head.ref, 'jules/') || | |
| startsWith(github.event.pull_request.head.ref, 'claude/') | |
| ) |
| # 2. AI Agent fix PRs (copilot/, jules/, claude/): Auto-merge when CI passes | ||
| # 3. CodeRabbit approved PRs: Auto-merge when CI passes |
There was a problem hiding this comment.
The comments claim "Auto-merge when CI passes" for tiers 2 and 3, but the workflow does not actually wait for or verify that CI checks have passed before enabling auto-merge. The workflow should either include logic to verify CI status or update the comments to accurately reflect the actual behavior (immediate auto-merge without CI verification).
| # 2. AI Agent fix PRs (copilot/, jules/, claude/): Auto-merge when CI passes | |
| # 3. CodeRabbit approved PRs: Auto-merge when CI passes | |
| # 2. AI Agent fix PRs (copilot/, jules/, claude/): Auto-merge | |
| # 3. CodeRabbit approved PRs: Auto-merge |
| - name: Auto-approve Renovate PRs | ||
| env: | ||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh pr review --approve "$PR_URL" | ||
|
|
||
| - name: Enable auto-merge for Renovate | ||
| env: | ||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh pr merge --auto --squash "$PR_URL" | ||
|
|
There was a problem hiding this comment.
The Renovate auto-merge job approves and merges all Renovate PRs without checking for major version updates, unlike the Dependabot job which has special handling for major updates (lines 50-66). This inconsistency means major breaking changes from Renovate could be auto-merged without manual review. Consider adding similar major version protection for Renovate PRs or documenting why this difference in behavior is intentional.
| - name: Auto-approve Renovate PRs | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr review --approve "$PR_URL" | |
| - name: Enable auto-merge for Renovate | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr merge --auto --squash "$PR_URL" | |
| - name: Detect Renovate major updates | |
| id: renovate_metadata | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Detect if this Renovate PR represents a major version update. | |
| # Renovate typically labels such PRs with "major" or "renovate/major". | |
| LABELS_JSON=$(gh pr view "$PR_URL" --json labels) | |
| if echo "$LABELS_JSON" | grep -qi '"name":"major"'; then | |
| echo "update-type=version-update:semver-major" >> "$GITHUB_OUTPUT" | |
| elif echo "$LABELS_JSON" | grep -qi '"name":"renovate/major"'; then | |
| echo "update-type=version-update:semver-major" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "update-type=version-update:semver-non-major" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Auto-approve Renovate PRs | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr review --approve "$PR_URL" | |
| - name: Enable auto-merge for Renovate (non-major) | |
| if: steps.renovate_metadata.outputs.update-type != 'version-update:semver-major' | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr merge --auto --squash "$PR_URL" | |
| - name: Comment on Renovate major updates | |
| if: steps.renovate_metadata.outputs.update-type == 'version-update:semver-major' | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh pr comment "$PR_URL" --body "## ⚠️ Renovate Major Version Update | |
| This is a **major version update** created by Renovate and may contain breaking changes. | |
| **Auto-merge has been disabled. Manual review and merge are required.**" |
| pull_request_target: | ||
| types: [opened, synchronize, reopened, ready_for_review] |
There was a problem hiding this comment.
Using pull_request_target with automatic approval and merging poses a security risk. The pull_request_target event runs with write permissions in the context of the base repository, even for PRs from forks. While the current implementation restricts execution to specific actors (dependabot, renovate, specific branch prefixes), a compromised bot account or malicious actor could potentially exploit this. Consider adding additional safety checks such as verifying that the PR is from the same repository (not a fork) or requiring CI checks to pass before auto-merging.
| env: | ||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh pr merge --auto --squash "$PR_URL" |
There was a problem hiding this comment.
The gh CLI commands do not have error handling or continue-on-error configured. If a command fails (e.g., due to permissions issues, API rate limits, or network problems), the workflow will fail silently without providing useful feedback. Consider adding error handling or at least ensuring that failures are visible and don't leave PRs in an inconsistent state where they might be partially approved but not merged.
| run: gh pr merge --auto --squash "$PR_URL" | |
| run: gh pr merge --auto --squash "$PR_URL" || { echo "Failed to auto-merge CodeRabbit-approved PR $PR_URL"; exit 1; } |
| ai-agent-auto-merge: | ||
| name: AI Agent auto-merge | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| startsWith(github.event.pull_request.head.ref, 'copilot/') || | ||
| startsWith(github.event.pull_request.head.ref, 'jules/') || | ||
| startsWith(github.event.pull_request.head.ref, 'claude/') | ||
|
|
||
| steps: | ||
| - name: Identify AI agent | ||
| id: agent | ||
| env: | ||
| BRANCH: ${{ github.event.pull_request.head.ref }} | ||
| run: | | ||
| if [[ "$BRANCH" == copilot/* ]]; then | ||
| echo "agent=Copilot" >> "$GITHUB_OUTPUT" | ||
| elif [[ "$BRANCH" == jules/* ]]; then | ||
| echo "agent=Jules" >> "$GITHUB_OUTPUT" | ||
| elif [[ "$BRANCH" == claude/* ]]; then | ||
| echo "agent=Claude" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| - name: Auto-approve AI agent PRs | ||
| env: | ||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| AGENT: ${{ steps.agent.outputs.agent }} | ||
| run: | | ||
| echo "Auto-approving $AGENT PR" | ||
| gh pr review --approve "$PR_URL" --body "✅ Auto-approved: $AGENT autonomous fix PR" | ||
|
|
||
| - name: Enable auto-merge for AI agent PRs | ||
| env: | ||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh pr merge --auto --squash "$PR_URL" |
There was a problem hiding this comment.
The AI agent auto-merge job auto-approves and auto-merges PRs based solely on branch name prefixes (copilot/, jules/, claude/). This is risky because any user with write access to the repository could create a branch with these prefixes and have their changes automatically merged without proper review. Consider adding additional validation such as checking the PR author or requiring that these branches come from specific bot accounts only.
| dependabot-auto-merge: | ||
| name: Dependabot auto-merge | ||
| runs-on: ubuntu-latest | ||
| if: github.actor == 'dependabot[bot]' | ||
|
|
||
| steps: | ||
| - name: Fetch Dependabot metadata | ||
| id: metadata | ||
| uses: dependabot/fetch-metadata@v2 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Auto-approve patch and minor updates | ||
| if: steps.metadata.outputs.update-type != 'version-update:semver-major' | ||
| env: | ||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh pr review --approve "$PR_URL" | ||
|
|
||
| - name: Enable auto-merge for patch and minor | ||
| if: steps.metadata.outputs.update-type != 'version-update:semver-major' | ||
| env: | ||
| PR_URL: ${{ github.event.pull_request.html_url }} | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: gh pr merge --auto --squash "$PR_URL" |
There was a problem hiding this comment.
The Dependabot auto-merge job will run on every event type listed in the trigger (opened, synchronize, reopened, ready_for_review, pull_request_review submitted, and check_suite completed), even though it only needs to run when the PR is first opened or updated. This could lead to unnecessary workflow executions. Consider adding event type filtering to the job's if condition to only run on relevant events, such as checking that github.event_name is 'pull_request_target'.
| gh pr comment "$PR_URL" --body "## ⚠️ Major Version Update | ||
|
|
||
| This is a **major version update** that may contain breaking changes. | ||
|
|
||
| **Manual review required.** | ||
|
|
||
| Dependency: \`$DEP_NAMES\` | ||
| Update: \`$PREV_VERSION\` → \`$NEW_VERSION\`" |
There was a problem hiding this comment.
The multi-line comment body contains indented text that will be included in the comment as-is, potentially with unwanted leading whitespace on each line. This could result in poorly formatted GitHub comments. Consider using a heredoc or adjusting the indentation to ensure the comment text starts at column 0 after the opening quote.
| gh pr comment "$PR_URL" --body "## ⚠️ Major Version Update | |
| This is a **major version update** that may contain breaking changes. | |
| **Manual review required.** | |
| Dependency: \`$DEP_NAMES\` | |
| Update: \`$PREV_VERSION\` → \`$NEW_VERSION\`" | |
| gh pr comment "$PR_URL" --body-file - <<EOF | |
| ## ⚠️ Major Version Update | |
| This is a **major version update** that may contain breaking changes. | |
| **Manual review required.** | |
| Dependency: \`$DEP_NAMES\` | |
| Update: \`$PREV_VERSION\` → \`$NEW_VERSION\` | |
| EOF |
.github/workflows/auto-merge.yml
Outdated
| check_suite: | ||
| types: [completed] |
There was a problem hiding this comment.
The workflow is triggered by the check_suite event (line 16-17), but all jobs reference github.event.pull_request which may not be available in check_suite event payloads. The check_suite event has a different structure and may not include pull_request information directly, which could cause these jobs to fail or behave unexpectedly when triggered by check_suite completion. Consider either removing the check_suite trigger or adding logic to handle the different event payload structures appropriately.
| check_suite: | |
| types: [completed] |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @.github/workflows/auto-merge.yml:
- Around line 86-92: The ai-agent-auto-merge job currently trusts branch
prefixes via the if condition (startsWith(github.event.pull_request.head.ref,
'copilot/') || ...), which allows any collaborator to create such branches;
update the job's if conditional on ai-agent-auto-merge to also validate
github.actor for each prefix (mirror the pattern used by
Dependabot/Renovate/CodeRabbit) so the condition requires both the actor equals
the trusted bot account and the branch prefix matches; verify and use the actual
bot usernames for Copilot/Jules/Claude in the github.actor checks before
committing.
🧹 Nitpick comments (1)
.github/workflows/auto-merge.yml (1)
68-84: Consider adding major version protection for Renovate PRs.Unlike the Dependabot job which requires manual review for major updates, Renovate PRs are auto-merged regardless of version bump type. This inconsistency could lead to unexpected breaking changes being auto-merged.
If Renovate is configured to only create patch/minor PRs, this is acceptable. Otherwise, consider using Renovate's labels or commit message conventions to detect major updates and apply similar protection.
Is Renovate configured to exclude major version updates, or is this intentional behavior?
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge base: Disabled due to data retention organization setting
📒 Files selected for processing (1)
.github/workflows/auto-merge.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Agent
🔇 Additional comments (4)
.github/workflows/auto-merge.yml (4)
1-9: LGTM!Clear documentation of the tiered auto-merge strategy with well-defined categories for each automation tier.
24-67: LGTM!The Dependabot job implements a solid pattern:
- Patch/minor updates are auto-approved and auto-merged with squash.
- Major updates receive a detailed comment and require manual review.
- Using
dependabot/fetch-metadata@v2provides reliable semver classification.
94-121: LGTM for the implementation logic.The agent identification and approval steps are well-implemented with proper output handling and audit trail via approval body message.
123-136: LGTM!The CodeRabbit job correctly:
- Triggers only on
pull_request_reviewevents with approved state fromcoderabbitai[bot]- Enables auto-merge without adding another approval (relying on branch protection rules)
- Uses squash merge consistently with other jobs
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
… validation - Remove unused check_suite trigger (no job references it) - Add actor validation to AI agent job for security (prevents anyone from creating copilot/jules/claude branches)
Summary
Adds the advanced auto-merge workflow from
ancplua-claude-plugins:Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.