fix: make Dependabot auto-merge match modern gh and indirect deps#29
Conversation
The reusable Dependabot auto-merge silently no-op'd on every PR:
- gh now reports the PR author from its GraphQL backing as `app/dependabot`,
not `dependabot[bot]`, so the author filter dropped every Dependabot PR
("No open Dependabot PR; nothing to do"). Accept either spelling; the REST
commit-author + signature gate is unchanged.
- Indirect (transitive) deps ship a `dependency-version:` trailer but no
`update-type:`, so the semver-token grep found nothing and refused them.
Derive the level from the `from <old> to <new>` versions in the commit
message, anchored to the Bumps/Updates lines. Unparsable versions and a
major hidden in a grouped update still fall back to a human.
Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
|
Note Merging this PR: this repository merges by fast-forward so every The branch must be up to date with |
|
/auto-merge |
|
Note Auto-merge armed. Once this PR is approved and every required check Remove the |
|
Cannot
|
|
Cannot
|
|
Cannot
|
|
Fast-forwarded |
1e7e5d8
into
bitwise-media-group:main
The reusable Dependabot auto-merge silently no-op'd on every PR:
app/dependabot, notdependabot[bot], so the author filter dropped every Dependabot PR ("No open Dependabot PR; nothing to do"). Accept either spelling; the REST commit-author + signature gate is unchanged.dependency-version:trailer but noupdate-type:, so the semver-token grep found nothing and refused them. Derive the level from thefrom <old> to <new>versions in the commit message, anchored to the Bumps/Updates lines. Unparsable versions and a major hidden in a grouped update still fall back to a human.