Skip to content

ci(dependabot): prevent python version drift & auto-orchestrate updates #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gildesmarais merged 4 commits into from
May 1, 2026
+50 −10
Merged

ci(dependabot): prevent python version drift & auto-orchestrate updates #5

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5be8ab5
ci: derive python version from dockerfile to prevent drift
gildesmarais May 1, 2026
cf83ed2
ci: implement automated maintenance via dependabot automerge
gildesmarais May 1, 2026
9fc6684
meta: synchronize weekly maintenance window and grouping
gildesmarais May 1, 2026
b43c890
fix: address PR review feedback for CI and automerge
gildesmarais May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 18 additions & 9 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,13 @@ updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 1
interval: "weekly"
day: "monday"
time: "05:00"
open-pull-requests-limit: 10
pull-request-branch-merge-strategy: "rebase"
groups:
monthly-python:
python-dependencies:
patterns:
- "*"
commit-message:
Expand All @@ -15,10 +18,13 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 1
interval: "weekly"
day: "monday"
time: "05:00"
open-pull-requests-limit: 10
pull-request-branch-merge-strategy: "rebase"
groups:
monthly-actions:
actions-dependencies:
patterns:
- "*"
commit-message:
Expand All @@ -27,10 +33,13 @@ updates:
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "monthly"
open-pull-requests-limit: 1
interval: "weekly"
day: "monday"
time: "05:00"
open-pull-requests-limit: 10
pull-request-branch-merge-strategy: "rebase"
groups:
monthly-docker:
docker-dependencies:
patterns:
- "*"
commit-message:
Expand Down
12 changes: 11 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,24 @@ jobs:
unit-tests:
name: Run unit tests
runs-on: ubuntu-latest
outputs:
python-version: ${{ steps.get-version.outputs.version }}
Copy link

Copilot AI May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unit-tests.outputs.python-version is defined but not consumed by any downstream job/workflow. If nothing uses this output, consider removing it to avoid confusion (or add a consumer via needs.unit-tests.outputs.python-version).

Suggested change
outputs:
python-version: ${{ steps.get-version.outputs.version }}

Copilot uses AI. Check for mistakes.
steps:
- name: Check out repository
uses: actions/checkout@v6

- name: Get Python version from Dockerfile
id: get-version
run: |
# Extract version like "3.14" from "FROM python:3.14-slim..."
VERSION=$(grep -m 1 "^FROM python:" Dockerfile | sed -E 's/^FROM python:([0-9]+\.[0-9]+).*/\1/')
Copy link

Copilot AI May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Dockerfile parsing step can produce an empty VERSION (e.g., if the FROM python: line changes format), which then causes a confusing failure later in setup-python. Add an explicit validation that VERSION is non-empty (and ideally print a clear error and exit non-zero) before writing to $GITHUB_OUTPUT.

Suggested change
VERSION=$(grep -m 1 "^FROM python:" Dockerfile | sed -E 's/^FROM python:([0-9]+\.[0-9]+).*/\1/')
VERSION=$(grep -m 1 "^FROM python:" Dockerfile | sed -E 's/^FROM python:([0-9]+\.[0-9]+).*/\1/')
if [ -z "$VERSION" ]; then
echo "Error: Failed to extract Python version from Dockerfile. Expected a line like 'FROM python:<major>.<minor>-...'" >&2
exit 1
fi

Copilot uses AI. Check for mistakes.
echo "Extracted version: $VERSION"
echo "version=$VERSION" >> $GITHUB_OUTPUT

- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.12"
python-version: ${{ steps.get-version.outputs.version }}
cache: "pip"

- name: Install Python dependencies
Expand Down
17 changes: 17 additions & 0 deletions .github/workflows/dependabot-automerge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: Dependabot Automerge
on: pull_request

permissions:
contents: write
pull-requests: write
Copy link

Copilot AI May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow uses on: pull_request, but Dependabot-triggered workflows commonly receive a read-only GITHUB_TOKEN on pull_request, which will prevent gh pr merge --auto ... from enabling auto-merge/merging. Consider switching to pull_request_target (and keep the strict dependabot[bot] guard and avoid checking out PR code) so the token can have the write permissions you’ve declared.

Copilot uses AI. Check for mistakes.

jobs:
automerge:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Enable automerge for Dependabot PRs
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Loading