Skip to content

Automate CI and dependency maintenance#362

Open
Ludy87 wants to merge 2 commits into
mainfrom
codex/automatisierung-fur-ci-verbessern
Open

Automate CI and dependency maintenance#362
Ludy87 wants to merge 2 commits into
mainfrom
codex/automatisierung-fur-ci-verbessern

Conversation

@Ludy87

@Ludy87 Ludy87 commented Jun 24, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Reduce manual work by making CI workflows more robust and enabling safe automatic merges for dependency updates.
  • Reduce Dependabot noise by grouping related updates and limiting open PRs.

Description

  • Add a Dependabot auto-merge workflow that runs on pull_request_target, reads Dependabot metadata, and auto-merges non-draft patch/minor updates using gh pr merge. (.github/workflows/dependabot-auto-merge.yml).
  • Harden and improve the Python package workflow with workflow_dispatch, concurrency cancellation, dependency-cache keying via cache-dependency-path, consolidated installation of dev tools, black formatting check, real pytest execution, and a package build/twine validation step on Python 3.13. (.github/workflows/pythonpackage.yml).
  • Update Dependabot configuration to group GitHub Actions and pip updates, add labels, set reasonable open-pull-requests-limit, and normalize schedule times. (.github/dependabot.yml).

Testing

  • Validated workflow and config YAML with ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f); puts "valid yaml: #{f}" }' .github/workflows/pythonpackage.yml .github/workflows/dependabot-auto-merge.yml .github/dependabot.yml which succeeded.
  • Ran test suite with pytest -q which passed (33 passed).
  • Ran formatting check black --line-length=127 --check . which completed successfully.
  • flake8 was not available in the local environment so its full run was not performed locally.
  • Package build check (python -m build / twine check) could not be executed locally because the build/twine tooling was not present in the environment.

Codex Task

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 25e90f10c9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

name: Dependabot auto-merge

on:
pull_request_target:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use a trigger that preserves Dependabot write access

For Dependabot PRs (the only PRs allowed by this job), this pull_request_target trigger leaves ${{ secrets.GITHUB_TOKEN }} read-only: GitHub's Dependabot-on-Actions docs state that Dependabot-initiated pull_request_target runs for Dependabot-created PRs get a read-only token and no secrets. As a result, the later gh pr merge --auto cannot enable auto-merge despite the contents: write block, so the new auto-merge workflow will fail for every intended PR; use the pull_request pattern from GitHub's Dependabot auto-merge docs or authenticate the merge step with an explicit App/PAT token.

Useful? React with 👍 / 👎.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant