Dependabot Automations
Spring Security has some automation around Dependabot that aims to reduce the amount of manual work needed to keep the PRs merged and the branches in sync as well as keeping the dependabot.yml file updated. This document outlines what each of those automations do.
Update dependabot.yml (workflow file)
This workflow runs every day and makes sure that the dependabot.yml file is updated whenever the supported branches or the dependabot.template.yml file changes.
More details on the action’s repository.
Merge Dependabot PR (workflow file)
This workflow runs when a PR is opened by the dependabot[bot] user and does:
-
Assign a PR to a specific milestone based on the target branch of its PR
-
Trigger PR’s auto merge
Trigger Dependabot Auto Merge Forward (workflow file)
This workflow runs when a new commit from the dependabot[bot] author is pushed into one of the supported branches. Its sole responsibility is to invoke the Auto Merge Forward Dependabot Commits workflow.
Auto Merge Forward Dependabot Commits (workflow file)
This workflow is triggered when a new commit from dependabot[bot] is pushed to any of the supported branches.
It first retrieves the currently supported branches and pass them to the Auto Merge Forward Action invocation. The action takes care of merging the commits that are not in sync between the branches. More details on the action’s repository.