From 5be8ab5fd9bfaf9703c2ddfa63f03d49da8ff925 Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Fri, 1 May 2026 16:05:43 +0200 Subject: [PATCH 1/4] ci: derive python version from dockerfile to prevent drift Implement dynamic python-version extraction in CI workflow by parsing the Dockerfile FROM instruction. This ensures the unit test environment always matches the container runtime without manual intervention. --- .github/workflows/ci.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6d9bc90..1a5938c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,14 +13,24 @@ jobs: unit-tests: name: Run unit tests runs-on: ubuntu-latest + outputs: + python-version: ${{ steps.get-version.outputs.version }} steps: - name: Check out repository uses: actions/checkout@v6 + - name: Get Python version from Dockerfile + id: get-version + run: | + # Extract version like "3.14" from "FROM python:3.14-slim..." + VERSION=$(grep -m 1 "^FROM python:" Dockerfile | sed -E 's/^FROM python:([0-9]+\.[0-9]+).*/\1/') + echo "Extracted version: $VERSION" + echo "version=$VERSION" >> $GITHUB_OUTPUT + - name: Set up Python uses: actions/setup-python@v6 with: - python-version: "3.12" + python-version: ${{ steps.get-version.outputs.version }} cache: "pip" - name: Install Python dependencies From cf83ed24a9d23cb72bc4fc20ab63d70698ed2683 Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Fri, 1 May 2026 16:05:43 +0200 Subject: [PATCH 2/4] ci: implement automated maintenance via dependabot automerge Add a dedicated workflow to enable GitHub's native auto-merge feature for Dependabot PRs. This allows dependencies that pass CI to be merged automatically, reducing manual maintenance overhead. --- .github/workflows/dependabot-automerge.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/dependabot-automerge.yml diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml new file mode 100644 index 0000000..6453f07 --- /dev/null +++ b/.github/workflows/dependabot-automerge.yml @@ -0,0 +1,17 @@ +name: Dependabot Automerge +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + automerge: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Enable automerge for Dependabot PRs + run: gh pr merge --auto --merge "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 9fc6684e241706afb2c96a6963cbb60c5733e49c Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Fri, 1 May 2026 16:05:43 +0200 Subject: [PATCH 3/4] meta: synchronize weekly maintenance window and grouping Align all Dependabot ecosystems (pip, docker, actions) to trigger weekly on Mondays at 05:00 UTC. Enable update grouping and rebase strategy to minimize PR noise and ensure a streamlined update cycle. --- .github/dependabot.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 254d602..8640195 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,10 +3,13 @@ updates: - package-ecosystem: "pip" directory: "/" schedule: - interval: "monthly" - open-pull-requests-limit: 1 + interval: "weekly" + day: "monday" + time: "05:00" + open-pull-requests-limit: 10 + pull-request-branch-merge-strategy: "rebase" groups: - monthly-python: + python-dependencies: patterns: - "*" commit-message: @@ -15,10 +18,13 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "monthly" - open-pull-requests-limit: 1 + interval: "weekly" + day: "monday" + time: "05:00" + open-pull-requests-limit: 10 + pull-request-branch-merge-strategy: "rebase" groups: - monthly-actions: + actions-dependencies: patterns: - "*" commit-message: @@ -27,10 +33,13 @@ updates: - package-ecosystem: "docker" directory: "/" schedule: - interval: "monthly" - open-pull-requests-limit: 1 + interval: "weekly" + day: "monday" + time: "05:00" + open-pull-requests-limit: 10 + pull-request-branch-merge-strategy: "rebase" groups: - monthly-docker: + docker-dependencies: patterns: - "*" commit-message: From b43c8902e2b074eece9ee0ca973d39df82cebace Mon Sep 17 00:00:00 2001 From: Gil Desmarais Date: Fri, 1 May 2026 16:16:14 +0200 Subject: [PATCH 4/4] fix: address PR review feedback for CI and automerge - Add validation to Python version extraction in ci.yml - Remove unused python-version job output in ci.yml - Switch automerge trigger to pull_request_target for write permissions --- .github/workflows/ci.yml | 8 ++++++-- .github/workflows/dependabot-automerge.yml | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1a5938c..0bb518e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,8 +13,6 @@ jobs: unit-tests: name: Run unit tests runs-on: ubuntu-latest - outputs: - python-version: ${{ steps.get-version.outputs.version }} steps: - name: Check out repository uses: actions/checkout@v6 @@ -24,6 +22,12 @@ jobs: run: | # Extract version like "3.14" from "FROM python:3.14-slim..." VERSION=$(grep -m 1 "^FROM python:" Dockerfile | sed -E 's/^FROM python:([0-9]+\.[0-9]+).*/\1/') + + if [ -z "$VERSION" ]; then + echo "Error: Could not extract Python version from Dockerfile" + exit 1 + fi + echo "Extracted version: $VERSION" echo "version=$VERSION" >> $GITHUB_OUTPUT diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 6453f07..1257739 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -1,5 +1,5 @@ name: Dependabot Automerge -on: pull_request +on: pull_request_target permissions: contents: write