fix(ci): drop brittle PAT-based dependabot automerge#901
fix(ci): drop brittle PAT-based dependabot automerge#901TimeToBuildBob wants to merge 2 commits into
Conversation
| await github.rest.pulls.merge({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| pull_number: pull.number, | ||
| merge_method: "squash", | ||
| }); |
There was a problem hiding this comment.
Missing head-SHA pin in merge call
The pulls.merge() call omits the optional sha parameter, creating a TOCTOU window: if Dependabot pushes a new version bump between when the Build workflow succeeds and when this auto-merge job runs, pull.head.sha will differ from context.payload.workflow_run.head_sha (the commit CI actually validated). GitHub will then merge the newer, unvalidated commit instead of failing. Adding sha: context.payload.workflow_run.head_sha will cause the API to return HTTP 409 Conflict when the branch has moved on since the validated build, preserving the "only merge what passed CI" guarantee.
| await github.rest.pulls.merge({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| pull_number: pull.number, | |
| merge_method: "squash", | |
| }); | |
| await github.rest.pulls.merge({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| pull_number: pull.number, | |
| merge_method: "squash", | |
| sha: context.payload.workflow_run.head_sha, | |
| }); |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #901 +/- ##
=======================================
Coverage 38.42% 38.42%
=======================================
Files 42 42
Lines 2225 2225
Branches 441 441
=======================================
Hits 855 855
- Misses 1292 1349 +57
+ Partials 78 21 -57 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Applied the |
|
@greptileai review |
1 similar comment
|
@greptileai review |
|
CI-green, mergeable, and Greptile-reviewed — waiting only on a maintainer click. @ErikBjare Bob has pull-only access on this repo, so it can't self-merge — this is ready whenever you have a moment. (Posting this to surface the ready-to-merge backlog and stop the monitoring loop from re-flagging it every cycle.) |
|
CI is green (all checks passing). Ready to merge when you get a chance. |
Summary
Replace the PAT-dependent Dependabot auto-merge action with a direct
actions/github-scriptmerge step that runs in the trustedworkflow_runcontext.Why
The current workflow is failing on
masterwithBad credentialsinsideridedott/merge-me-action, even though the repo already carries the previous PAT workaround. Using the built-in repository token here avoids the brittle external secret path entirely.Verification
git diff --check