Skip to content

fix(ci): drop brittle PAT-based dependabot automerge#901

Open
TimeToBuildBob wants to merge 2 commits into
ActivityWatch:masterfrom
TimeToBuildBob:bob/fix-dependabot-automerge
Open

fix(ci): drop brittle PAT-based dependabot automerge#901
TimeToBuildBob wants to merge 2 commits into
ActivityWatch:masterfrom
TimeToBuildBob:bob/fix-dependabot-automerge

Conversation

@TimeToBuildBob

Copy link
Copy Markdown
Contributor

Summary

Replace the PAT-dependent Dependabot auto-merge action with a direct actions/github-script merge step that runs in the trusted workflow_run context.

Why

The current workflow is failing on master with Bad credentials inside ridedott/merge-me-action, even though the repo already carries the previous PAT workaround. Using the built-in repository token here avoids the brittle external secret path entirely.

Verification

  • YAML reviewed locally
  • git diff --check
  • GitHub Actions on this PR will validate the workflow end to end

@greptile-apps

greptile-apps Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR removes the failing ridedott/merge-me-action (which required an external PAT secret) and replaces it with an inline actions/github-script step that merges Dependabot PRs using the built-in repository token in the trusted workflow_run context.

  • PAT removed: the AWBOT_GH_TOKEN secret dependency is eliminated; permissions: contents: write and pull-requests: write are granted explicitly at the workflow level.
  • TOCTOU guard added: the merge call now passes sha: context.payload.workflow_run.head_sha, ensuring the API rejects the merge if the PR branch has moved on since the validated build completed.
  • Early-exit guards: the script checks for a missing PR in the payload, a non-open state, and a draft flag before attempting the merge.

Confidence Score: 5/5

Safe to merge — the logic is straightforward and the core correctness concerns (head-SHA guard, actor check, permission scoping) are handled well.

The rewrite correctly drops the broken PAT dependency, scopes permissions to the minimum required, and adds the sha guard to prevent merging unvalidated commits. The only open item is using a floating @v9 tag for actions/github-script rather than a pinned commit SHA — a hardening concern that does not affect current correctness.

No files require special attention beyond confirming that squash merges are enabled in the repository settings, since merge_method: squash is hardcoded.

Important Files Changed

Filename Overview
.github/workflows/dependabot-automerge.yml Replaces PAT-based ridedott/merge-me-action with an inline github-script step using GITHUB_TOKEN; adds correct permissions block and head-SHA guard; uses a floating @v9 tag for the action instead of a pinned commit SHA.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant D as Dependabot
    participant GH as GitHub
    participant Build as Build Workflow
    participant Merge as Dependabot Auto-merge Workflow

    D->>GH: Opens/updates PR
    GH->>Build: Triggers Build (pull_request event)
    Build-->>GH: Completes (success/failure)
    GH->>Merge: "workflow_run event (conclusion=success)"
    Merge->>Merge: "Check actor==dependabot[bot] && event==pull_request"
    Merge->>GH: pulls.get(pr.number)
    GH-->>Merge: PR state (open/closed/draft)
    alt PR is open and not draft
        Merge->>GH: "pulls.merge(pull_number, sha=head_sha, method=squash)"
        GH-->>Merge: Merge result
    else PR closed or draft
        Merge-->>GH: Skip
    end
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant D as Dependabot
    participant GH as GitHub
    participant Build as Build Workflow
    participant Merge as Dependabot Auto-merge Workflow

    D->>GH: Opens/updates PR
    GH->>Build: Triggers Build (pull_request event)
    Build-->>GH: Completes (success/failure)
    GH->>Merge: "workflow_run event (conclusion=success)"
    Merge->>Merge: "Check actor==dependabot[bot] && event==pull_request"
    Merge->>GH: pulls.get(pr.number)
    GH-->>Merge: PR state (open/closed/draft)
    alt PR is open and not draft
        Merge->>GH: "pulls.merge(pull_number, sha=head_sha, method=squash)"
        GH-->>Merge: Merge result
    else PR closed or draft
        Merge-->>GH: Skip
    end
Loading

Reviews (3): Last reviewed commit: "fix(ci): pin merge sha to prevent TOCTOU..." | Re-trigger Greptile

Comment on lines +53 to +58
await github.rest.pulls.merge({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: pull.number,
merge_method: "squash",
});

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Missing head-SHA pin in merge call

The pulls.merge() call omits the optional sha parameter, creating a TOCTOU window: if Dependabot pushes a new version bump between when the Build workflow succeeds and when this auto-merge job runs, pull.head.sha will differ from context.payload.workflow_run.head_sha (the commit CI actually validated). GitHub will then merge the newer, unvalidated commit instead of failing. Adding sha: context.payload.workflow_run.head_sha will cause the API to return HTTP 409 Conflict when the branch has moved on since the validated build, preserving the "only merge what passed CI" guarantee.

Suggested change
await github.rest.pulls.merge({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: pull.number,
merge_method: "squash",
});
await github.rest.pulls.merge({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: pull.number,
merge_method: "squash",
sha: context.payload.workflow_run.head_sha,
});

@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.42%. Comparing base (9e466c5) to head (e609238).

Additional details and impacted files
@@           Coverage Diff           @@
##           master     #901   +/-   ##
=======================================
  Coverage   38.42%   38.42%           
=======================================
  Files          42       42           
  Lines        2225     2225           
  Branches      441      441           
=======================================
  Hits          855      855           
- Misses       1292     1349   +57     
+ Partials       78       21   -57     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

Applied the sha pin as suggested by Greptile — pulls.merge() now passes sha: context.payload.workflow_run.head_sha, so a Dependabot push between CI success and the merge step will cause a 409 conflict instead of silently merging an unvalidated commit.

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

@greptileai review

1 similar comment
@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

@greptileai review

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

CI-green, mergeable, and Greptile-reviewed — waiting only on a maintainer click.

@ErikBjare Bob has pull-only access on this repo, so it can't self-merge — this is ready whenever you have a moment. (Posting this to surface the ready-to-merge backlog and stop the monitoring loop from re-flagging it every cycle.)

@TimeToBuildBob

Copy link
Copy Markdown
Contributor Author

CI is green (all checks passing). Ready to merge when you get a chance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant