Automate CI and dependency maintenance#362
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 25e90f10c9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| name: Dependabot auto-merge | ||
|
|
||
| on: | ||
| pull_request_target: |
There was a problem hiding this comment.
Use a trigger that preserves Dependabot write access
For Dependabot PRs (the only PRs allowed by this job), this pull_request_target trigger leaves ${{ secrets.GITHUB_TOKEN }} read-only: GitHub's Dependabot-on-Actions docs state that Dependabot-initiated pull_request_target runs for Dependabot-created PRs get a read-only token and no secrets. As a result, the later gh pr merge --auto cannot enable auto-merge despite the contents: write block, so the new auto-merge workflow will fail for every intended PR; use the pull_request pattern from GitHub's Dependabot auto-merge docs or authenticate the merge step with an explicit App/PAT token.
Useful? React with 👍 / 👎.
|



Motivation
Description
pull_request_target, reads Dependabot metadata, and auto-merges non-draft patch/minor updates usinggh pr merge. (.github/workflows/dependabot-auto-merge.yml).workflow_dispatch, concurrency cancellation, dependency-cache keying viacache-dependency-path, consolidated installation of dev tools,blackformatting check, realpytestexecution, and a package build/twine validation step on Python 3.13. (.github/workflows/pythonpackage.yml).open-pull-requests-limit, and normalize schedule times. (.github/dependabot.yml).Testing
ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f); puts "valid yaml: #{f}" }' .github/workflows/pythonpackage.yml .github/workflows/dependabot-auto-merge.yml .github/dependabot.ymlwhich succeeded.pytest -qwhich passed (33 passed).black --line-length=127 --check .which completed successfully.flake8was not available in the local environment so its full run was not performed locally.python -m build/twine check) could not be executed locally because thebuild/twinetooling was not present in the environment.Codex Task