Automate dependency monitoring and patch-level auto-merge#16
Merged
danielorbach merged 5 commits intomainfrom Mar 11, 2026
Merged
Automate dependency monitoring and patch-level auto-merge#16danielorbach merged 5 commits intomainfrom
danielorbach merged 5 commits intomainfrom
Conversation
Weekly schedule with go.mod commit prefix matches the convention established in go-digitaltwin/go-digitaltwin. No dependency groups yet since the module has no third-party imports.
Keeps action versions (checkout, setup-go, golangci-lint, etc.) current alongside Go module monitoring.
Patches carry minimal risk of breaking changes. Approving and enabling auto-merge lets them land without human intervention once the CI workflow reports success.
The automerge workflow currently handles only patches. TODO comments mark where Claude-assisted review steps will slot in once the Claude Code workflow (#5) is resolved: approve-and-merge for minor updates, comment-only analysis for major updates.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Adds Dependabot-based dependency monitoring and a GitHub Actions workflow to auto-approve/auto-merge patch-level dependency update PRs after required checks pass, building on the CI gating introduced in #15.
Changes:
- Configure Dependabot to check Go modules and GitHub Actions weekly.
- Add a Dependabot PR workflow that auto-approves and enables auto-merge for semver patch updates (with TODO hooks for future Claude-assisted review on minor/major updates).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/dependabot-automerge.yml | Approves and enables auto-merge for Dependabot patch updates via gh CLI based on fetched metadata. |
| .github/dependabot.yml | Enables weekly Dependabot updates for gomod and github-actions ecosystems with consistent labeling/commit prefixes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
4 tasks
This was referenced Mar 11, 2026
danielorbach
added a commit
that referenced
this pull request
Mar 12, 2026
The existing Dependabot workflow auto-approves and merges patch updates but left minor and major updates for human review (see #16). This completes the three-tier automation by replacing those TODOs with Claude-assisted review. Minor updates are reviewed and auto-merged if Claude approves. Major updates receive analysis with migration notes and changelog research, but require a human to approve and merge. Tool permissions follow a least-privilege model: `gh pr review` commands are narrowly scoped, and major reviews explicitly disallow approval via `--disallowedTools`. The minor review prompt flags v0.x dependencies, where semver permits breaking changes in minor bumps. Review and merge are split into separate jobs so each can declare its own least-privilege permission set: the review job holds `id-token: write` for Claude's OIDC tokens but only `contents: read`, while the merge job holds `contents: write` but no `id-token`. This follows the principle of least privilege at the job level, narrowing the blast radius of each token. The Claude Code "app" integration for issues and PRs (originally planned in #5) was [dropped](#5 (comment)) in favor of the local Claude Code experience; the prior attempt is preserved in #18. Closes #6.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With CI in place (#15), the repository can gate dependency updates on passing checks. Dependabot now monitors both Go modules and GitHub Actions on a weekly schedule, and patch-level updates auto-merge once CI passes.
Minor and major updates still require human review. TODO comments in the automerge workflow mark where Claude-assisted review steps will slot in once the Claude Code workflow (#5) lands: approve-and-merge for minor updates, comment-only analysis for major ones. This addresses three of the four checkboxes in #6; the remaining one (LLM-assisted review) is blocked on #5.
Relates to #6