ci: replace ahmadnassri auto-merge action with dependabot/fetch-metadata

[KristjanESPERANTO]

ahmadnassri/action-dependabot-auto-merge is unmaintained (last release 3 years ago) and Docker-based — it fails on ubuntu-slim runners because no Docker daemon is available.

Replacing it with the official dependabot/fetch-metadata@v2 (pure JS, actively maintained) combined with gh pr merge --auto --squash (GH CLI, pre-installed on all runners).

Changes:

• Replace outdated Docker-based action with dependabot/fetch-metadata@v2 + GH CLI
• Inline merge rules (previously in .github/auto-merge.yml, now deleted)
• Add explicit permissions block and dependabot[bot] actor guard

Note

@jens-maus For gh pr merge --auto to work, "Allow auto-merge" must be enabled once in Settings → General → Pull Requests.

Summary by CodeRabbit

• Chores
  • Removed the previous automated dependency auto-merge configuration.
  • Replaced it with a metadata-driven auto-merge workflow: tightened permissions, added eligibility checks based on dependency/update metadata, and an explicit conditional merge step with updated token handling.

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed the legacy Dependabot automerge config file and introduced a Dependabot-only GitHub Actions workflow that fetches Dependabot metadata, evaluates eligibility (dependency-type, update-type, ghsa-id/alert-state), and conditionally merges Dependabot PRs via the GitHub CLI with an explicit PAT and scoped permissions.

Changes

Cohort / File(s)	Summary
Automerge config removal \.github/auto-merge.yml	Deleted legacy Dependabot automerge configuration (three explicit automerge match blocks and related comments).
Dependabot automerge workflow \.github/workflows/dependabot-automerge.yml	Replaced prior auto-merge mechanism with a metadata-driven workflow: adds dependabot/fetch-metadata, eligibility decision step (dependency-type, update-type, ghsa-id/alert-state), permission guards (contents & pull-requests), and conditional gh pr merge using an AUTO_MERGE_TOKEN. Review eligibility logic and token usage closely.

Sequence Diagram(s)

sequenceDiagram
  participant Dependabot
  participant Actions as "GitHub Actions Runner"
  participant Fetch as "dependabot/fetch-metadata"
  participant Checker as "eligibility-check"
  participant GH as "GitHub CLI / API"
  participant Repo as "Repository (PR)"

  Dependabot->>Actions: Open Dependabot PR
  Actions->>Fetch: Fetch PR metadata (dependency-type, update-type, ghsa-id, alert-state, pr_url)
  Fetch-->>Actions: Return metadata
  Actions->>Checker: Evaluate eligibility rules
  alt Eligible
    Actions->>GH: Merge PR via `gh pr merge` (AUTO_MERGE_TOKEN)
    GH-->>Repo: PR merged
  else Not eligible
    Actions-->>Repo: No merge (PR left open)
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• jens-maus

Poem

🐰 I nibbled old YAML in the night,
Fetching metadata by starlight.
I check each patch, each GHSA bell,
Then hop to merge when rules ring well.
Tiny paws, a CI delight.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: replacing the unmaintained ahmadnassri auto-merge Docker action with the actively maintained dependabot/fetch-metadata JavaScript action paired with GH CLI.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

.github/workflows/dependabot-automerge.yml (1)

31-33: Consider replacing AUTO_MERGE_TOKEN with the built-in GITHUB_TOKEN.

The workflow already explicitly grants contents: write and pull-requests: write, which are the permissions used in the official GitHub docs for gh pr merge --auto with GITHUB_TOKEN. Using the built-in token eliminates the maintenance burden of the external AUTO_MERGE_TOKEN PAT secret.

Note: GITHUB_TOKEN-initiated events do not trigger downstream Actions workflows. If branch protection rules require CI status checks that are triggered by a push event downstream of the merge, the PAT may still be necessary.

♻️ Proposed change (if no downstream CI trigger is needed)

         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
-          GH_TOKEN: ${{ secrets.AUTO_MERGE_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependabot-automerge.yml around lines 31 - 33, Replace the
external PAT secret usage by switching the environment variable GH_TOKEN to the
built-in GITHUB_TOKEN in the workflow env block (the PR_URL and GH_TOKEN env
entries), and ensure the workflow permissions still include contents: write and
pull-requests: write so gh pr merge --auto can run; keep the note about
downstream CI (branch protection requiring external PAT) if those downstream
push-triggered checks exist.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 1-5: The comment contains a stale reference: remove or update the
parenthetical "(mirroring .github/auto-merge.yml)" from the header block so it
no longer points to the deleted .github/auto-merge.yml; specifically edit the
top comment lines (the sentence that begins "Merge rules (mirroring
.github/auto-merge.yml):") to either drop the parenthetical entirely or replace
it with an accurate reference or generic wording about the merge rules.
- Around line 21-23: The Dependabot metadata step ("Fetch Dependabot metadata",
id: metadata) currently uses the mutable tag dependabot/fetch-metadata@v2;
replace that with the exact commit SHA for the desired release (e.g., the SHA
for v2.5.0) and add a trailing comment with the version (for example: " #
v2.5.0") to pin the action and aid maintainability; optionally add an explicit
with: github-token: "${{ secrets.GITHUB_TOKEN }}" block under the same step to
make the token usage clear.
- Line 19: Replace the current Dependabot guard using github.actor with a check
against the pull request author so the workflow only runs for Dependabot-created
PRs; specifically, change the conditional that currently reads something like
"if: github.actor == 'dependabot[bot]'" to use
"github.event.pull_request.user.login == 'dependabot[bot]'" (the condition line
in the dependabot-automerge.yml) so under pull_request_target the PR author is
validated instead of the workflow actor.

---

Nitpick comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 31-33: Replace the external PAT secret usage by switching the
environment variable GH_TOKEN to the built-in GITHUB_TOKEN in the workflow env
block (the PR_URL and GH_TOKEN env entries), and ensure the workflow permissions
still include contents: write and pull-requests: write so gh pr merge --auto can
run; keep the note about downstream CI (branch protection requiring external
PAT) if those downstream push-triggered checks exist.

[KristjanESPERANTO]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/dependabot-automerge.yml (1)

30-32: Use environment variables instead of inline ${{ }} expressions in run: steps.

Interpolating action outputs directly into shell strings via ${{ ... }} is a GitHub-documented script-injection vector. The safe pattern is to pass values through env: and reference them as shell variables.

♻️ Proposed refactor

       - name: Determine if PR should be auto-merged
         id: check
         run: |
-          DEP="${{ steps.metadata.outputs.dependency-type }}"
-          UPD="${{ steps.metadata.outputs.update-type }}"
-          SEC="${{ steps.metadata.outputs.ghsa-ids }}"
+          DEP="$METADATA_DEP_TYPE"
+          UPD="$METADATA_UPDATE_TYPE"
+          SEC="$METADATA_GHSA_ID"
+          ALERT="$METADATA_ALERT_STATE"

           # production: patch always; minor only for security fixes
           ...
+        env:
+          METADATA_DEP_TYPE: ${{ steps.metadata.outputs.dependency-type }}
+          METADATA_UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}
+          METADATA_GHSA_ID: ${{ steps.metadata.outputs.ghsa-id }}
+          METADATA_ALERT_STATE: ${{ steps.metadata.outputs.alert-state }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependabot-automerge.yml around lines 30 - 32, Replace the
inline interpolation of action outputs in the run step (currently assigning
DEP="${{ steps.metadata.outputs.dependency-type }}", UPD="${{
steps.metadata.outputs.update-type }}", SEC="${{ steps.metadata.outputs.ghsa-ids
}}") with environment variables passed via env:, e.g. declare env keys DEP, UPD,
SEC mapping to ${{ steps.metadata.outputs.dependency-type }}, ${{
steps.metadata.outputs.update-type }}, ${{ steps.metadata.outputs.ghsa-ids }}
and then reference them inside the run script as shell variables ($DEP, $UPD,
$SEC); update the workflow step that uses DEP/UPD/SEC to read from env instead
of embedding `${{ }}` directly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 24-25: Enable alert lookup and use the correct outputs: set the
dependabot metadata action input alert-lookup: true and pass a PAT via a new
secret (AUTO_MERGE_TOKEN) instead of only GITHUB_TOKEN so steps.metadata
populates alert-state, ghsa-id and cvss; change references from
steps.metadata.outputs.ghsa-ids to steps.metadata.outputs.ghsa-id (singular)
wherever SEC is derived; and remove the update-type equality guard (the check
comparing "$UPD" == "version-update:semver-minor") from the security auto-merge
branch so security-only PRs can match regardless of update-type.

---

Nitpick comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 30-32: Replace the inline interpolation of action outputs in the
run step (currently assigning DEP="${{ steps.metadata.outputs.dependency-type
}}", UPD="${{ steps.metadata.outputs.update-type }}", SEC="${{
steps.metadata.outputs.ghsa-ids }}") with environment variables passed via env:,
e.g. declare env keys DEP, UPD, SEC mapping to ${{
steps.metadata.outputs.dependency-type }}, ${{
steps.metadata.outputs.update-type }}, ${{ steps.metadata.outputs.ghsa-ids }}
and then reference them inside the run script as shell variables ($DEP, $UPD,
$SEC); update the workflow step that uses DEP/UPD/SEC to read from env instead
of embedding `${{ }}` directly.

[KristjanESPERANTO]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/dependabot-automerge.yml (1)

35-40: Consider also checking alert-state in the security auto-merge condition.

alert-state contains the current state of the alert — OPEN, FIXED, or DISMISSED — when alert-lookup is true. The current condition auto-merges any production PR with a non-empty ghsa-id, including those whose alert was explicitly dismissed by a maintainer. Adding an alert-state check keeps the rule aligned with the intent described in the header (line 4).

♻️ Proposed refinement

        env:
          DEP: ${{ steps.metadata.outputs.dependency-type }}
          UPD: ${{ steps.metadata.outputs.update-type }}
          SEC: ${{ steps.metadata.outputs.ghsa-id }}
+         ALERT: ${{ steps.metadata.outputs.alert-state }}
        run: |
          # production: patch always; any security fix regardless of update-type
          if [[ "$DEP" == "direct:production" && "$UPD" == "version-update:semver-patch" ]]; then
            echo "result=true" >> "$GITHUB_OUTPUT"
-         elif [[ "$DEP" == "direct:production" && -n "$SEC" ]]; then
+         elif [[ "$DEP" == "direct:production" && -n "$SEC" && "$ALERT" == "OPEN" ]]; then
            echo "result=true" >> "$GITHUB_OUTPUT"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dependabot-automerge.yml around lines 35 - 40, The
security auto-merge condition currently treats any non-empty SEC (ghsa-id) as
eligible; update the conditional that handles 'direct:production' and SEC to
also verify the alert-state is OPEN (the `alert-state` output from alert-lookup)
so dismissed or fixed alerts are not auto-merged; specifically, modify the elif
branch that checks `"$DEP" == "direct:production" && -n "$SEC"` to also require
`"$ALERT_STATE" == "OPEN"` (or equivalent variable name used in the workflow)
before emitting result=true.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 25-28: The workflow's use of alert-lookup with github-token: ${{
secrets.AUTO_MERGE_TOKEN }} silently fails auto-merges when AUTO_MERGE_TOKEN is
not defined; update the Dependabot workflow to either (a) guard the
fetch-metadata/alert-lookup usage with a condition that checks for the presence
of secrets.AUTO_MERGE_TOKEN before setting alert-lookup or using the
fetch-metadata step, or (b) switch to a two-path approach where alert-lookup is
only enabled when AUTO_MERGE_TOKEN exists and routine non-security auto-merge
logic runs without it; also add a short setup note to repo docs mentioning that
AUTO_MERGE_TOKEN (PAT with repo scope) is required for security metadata.

---

Nitpick comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 35-40: The security auto-merge condition currently treats any
non-empty SEC (ghsa-id) as eligible; update the conditional that handles
'direct:production' and SEC to also verify the alert-state is OPEN (the
`alert-state` output from alert-lookup) so dismissed or fixed alerts are not
auto-merged; specifically, modify the elif branch that checks `"$DEP" ==
"direct:production" && -n "$SEC"` to also require `"$ALERT_STATE" == "OPEN"` (or
equivalent variable name used in the workflow) before emitting result=true.

[coderabbitai]

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/dependabot-automerge.yml:
- Around line 12-19: Permissions block (contents: write and pull-requests:
write) and the actor guard on the job (if: github.event.pull_request.user.login
== 'dependabot[bot]') are correctly scoped for pull_request_target usage; no
code changes required—leave the permissions and the auto-merge job's if
condition as-is.
- Around line 31-49: The eligibility logic in the "Determine if PR should be
auto-merged" step (id: check) is correct and injection-safe; no code changes
required—keep the env mappings DEP, UPD, SEC, and ALERT_STATE and the existing
conditional branches that set result=true for direct:production semver-patch,
for production security fixes with OPEN alert-state, and for direct:development
semver-patch or semver-minor, otherwise set result=false.
- Around line 21-29: No change required—keep the "Fetch Dependabot metadata"
step as-is: the action
dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a (step id
metadata) should remain SHA-pinned, include github-token: ${{
secrets.AUTO_MERGE_TOKEN }}, and alert-lookup: true; leave this configuration
intact since it satisfies the previous review constraints.
- Around line 1-5: The header comments describing the three merge rules should
match the implemented shell-logic branches; verify the comment lines that list
"production deps: semver patch", "production deps: any security fix", and
"development deps: semver minor (and patch)" remain synchronized with the three
condition branches in the script and remove any lingering stale reference to the
deleted auto-merge config (if already removed, no changes needed).

[KristjanESPERANTO]

Coderabbit now seems satisfied 🙂