From 2838083c29a94acb293884647464a46ef7d71964 Mon Sep 17 00:00:00 2001 From: James Date: Wed, 1 Apr 2026 11:52:35 +0100 Subject: [PATCH 1/3] mesh-2816: add automatic dependabot pr --- .github/workflows/dependabot-auto-merge.yaml | 37 ++++++++++++++ .github/workflows/pull-request.yml | 51 +++++++++++++++++--- 2 files changed, 82 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/dependabot-auto-merge.yaml diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml new file mode 100644 index 0000000..1c9c905 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yaml @@ -0,0 +1,37 @@ +name: Auto-merge Dependabot PRs + +on: + pull_request: + types: + - opened + - reopened + - synchronize + - ready_for_review + - labeled + +jobs: + enable-automerge: + # Only run on Dependabot PRs + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + + steps: + - name: Fetch Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Auto-approve Dependabot PR + uses: hmarr/auto-approve-action@8f929096a962e83ccdfa8afcf855f39f12d4dac7 # v4 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Enable auto-merge for Dependabot PRs + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index c01344c..585876d 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -61,6 +61,9 @@ jobs: coverage: runs-on: ubuntu-latest + permissions: + checks: write + pull-requests: write if: github.repository == 'NHSDigital/mesh-client' steps: - name: checkout @@ -93,6 +96,7 @@ jobs: git merge --ff-only "${{ github.event.pull_request.head.sha }}" - name: setup python + id: setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: 'pyproject.toml' @@ -137,14 +141,14 @@ jobs: thresholdAll: 0.70 - name: setup java - if: github.actor != 'dependabot[bot]' && (success() || failure()) + if: github.event.pull_request.user.login != 'dependabot[bot]' && (success() || failure()) uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: "corretto" java-version: "17" - name: provision sonar-scanner - if: github.actor != 'dependabot[bot]' && (success() || failure()) + if: github.event.pull_request.user.login != 'dependabot[bot]' && (success() || failure()) run: | export SONAR_VERSION="5.0.1.3006" wget -q --max-redirect=0 "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_VERSION}.zip" -O sonar-scanner.zip @@ -153,7 +157,7 @@ jobs: scripts/sonar_tests.py - name: run sonar scan - if: github.actor != 'dependabot[bot]' && (success() || failure()) + if: github.event.pull_request.user.login != 'dependabot[bot]' && (success() || failure()) run: | PATH="$PWD/sonar-scanner/bin:$PATH" if [[ "${{ github.event_name }}" == "pull_request" ]]; then @@ -168,7 +172,7 @@ jobs: - name: archive reports - if: github.actor != 'dependabot[bot]' && (success() || failure()) + if: github.event.pull_request.user.login != 'dependabot[bot]' && (success() || failure()) uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: reports @@ -211,6 +215,7 @@ jobs: git merge --ff-only "${{ github.event.pull_request.head.sha }}" - name: setup python + id: setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: 'pyproject.toml' @@ -263,7 +268,7 @@ jobs: publish: runs-on: ubuntu-latest - if: github.repository == 'NHSDigital/mesh-client' && github.actor != 'dependabot[bot]' + if: github.repository == 'NHSDigital/mesh-client' && github.event.pull_request.user.login != 'dependabot[bot]' needs: - coverage - lint @@ -340,4 +345,38 @@ jobs: if [[ "${INSTALLED_VERSION}" != "${RELEASE_VERSION}" ]]; then echo "${INSTALLED_VERSION} != ${RELEASE_VERSION}" exit 1 - fi \ No newline at end of file + fi + + slack-notification: + runs-on: ubuntu-latest + needs: + - coverage + - lint + - tox + if: ${{ always() && github.repository == 'NHSDigital/mesh-client' && github.actor == 'dependabot[bot]' && contains(needs.*.result, 'failure') }} + steps: + - name: Slack Notification + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a + with: + webhook: ${{ secrets.DEPENDABOT_SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": ":alarm: DEPENDABOT PR FAILED :alarm:", + "emoji": true + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "Checks failed for ${{ github.repository }}:${{ github.ref }} in " + } + } + ] + } \ No newline at end of file From 09df07921d16b5995a402d5cd8a0867ccd390a1f Mon Sep 17 00:00:00 2001 From: James Date: Wed, 1 Apr 2026 11:56:12 +0100 Subject: [PATCH 2/3] mesh-2816: update dependabot frequnecy --- .github/dependabot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a2dc6e6..3237254 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,7 +10,7 @@ updates: directory: "/" open-pull-requests-limit: 2 schedule: - interval: "monthly" + interval: "daily" cooldown: default-days: 7 commit-message: @@ -20,6 +20,6 @@ updates: - package-ecosystem: "pip" directory: "/" # Location of package manifests schedule: - interval: "monthly" + interval: "daily" cooldown: default-days: 7 \ No newline at end of file From 1e7f1629cc1256260b75c9bc4ff6b57c7d21fecf Mon Sep 17 00:00:00 2001 From: James Date: Wed, 1 Apr 2026 15:42:59 +0100 Subject: [PATCH 3/3] mesh-2816: review changes --- .github/workflows/dependabot-auto-merge.yaml | 2 +- .github/workflows/pull-request.yml | 12 +++++------- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml index 1c9c905..d9cf8f1 100644 --- a/.github/workflows/dependabot-auto-merge.yaml +++ b/.github/workflows/dependabot-auto-merge.yaml @@ -21,7 +21,7 @@ jobs: steps: - name: Fetch Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 + uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 #v3.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 585876d..f734251 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -96,7 +96,6 @@ jobs: git merge --ff-only "${{ github.event.pull_request.head.sha }}" - name: setup python - id: setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: 'pyproject.toml' @@ -141,14 +140,14 @@ jobs: thresholdAll: 0.70 - name: setup java - if: github.event.pull_request.user.login != 'dependabot[bot]' && (success() || failure()) + if: github.actor != 'dependabot[bot]' && (success() || failure()) uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: "corretto" java-version: "17" - name: provision sonar-scanner - if: github.event.pull_request.user.login != 'dependabot[bot]' && (success() || failure()) + if: github.actor != 'dependabot[bot]' && (success() || failure()) run: | export SONAR_VERSION="5.0.1.3006" wget -q --max-redirect=0 "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_VERSION}.zip" -O sonar-scanner.zip @@ -157,7 +156,7 @@ jobs: scripts/sonar_tests.py - name: run sonar scan - if: github.event.pull_request.user.login != 'dependabot[bot]' && (success() || failure()) + if: github.actor != 'dependabot[bot]' && (success() || failure()) run: | PATH="$PWD/sonar-scanner/bin:$PATH" if [[ "${{ github.event_name }}" == "pull_request" ]]; then @@ -172,7 +171,7 @@ jobs: - name: archive reports - if: github.event.pull_request.user.login != 'dependabot[bot]' && (success() || failure()) + if: github.actor != 'dependabot[bot]' && (success() || failure()) uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: reports @@ -215,7 +214,6 @@ jobs: git merge --ff-only "${{ github.event.pull_request.head.sha }}" - name: setup python - id: setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: 'pyproject.toml' @@ -268,7 +266,7 @@ jobs: publish: runs-on: ubuntu-latest - if: github.repository == 'NHSDigital/mesh-client' && github.event.pull_request.user.login != 'dependabot[bot]' + if: github.repository == 'NHSDigital/mesh-client' && github.actor != 'dependabot[bot]' needs: - coverage - lint