Skip to content

Use WORKFLOW_PAT where appropriate to ensure auto-merge can be applied #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
knoepfel merged 1 commit into from
Feb 26, 2026
Merged

Use WORKFLOW_PAT where appropriate to ensure auto-merge can be applied #353

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 2 additions & 21 deletions .github/workflows/dependabot-auto-merge.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,29 +57,10 @@ jobs:
if: steps.pr.outputs.author == 'dependabot[bot]' && steps.pr.outputs.base_ref == 'main'
shell: bash
run: |
# Attempt to enable auto-merge. The gh CLI doesn't provide structured error codes,
# so we must parse error messages. Common expected errors:
# - "auto-merge is already enabled" - auto-merge was already set
# - "not authorized for this protected branch" - branch protection requirements not yet met
# NOTE: This typically occurs when the GITHUB_TOKEN doesn't have sufficient permissions.
# For workflows triggered by Dependabot PRs, the token has restricted permissions even
# with contents:write and pull-requests:write. Solutions include:
# 1. Use a GitHub App token (most secure)
# 2. Use a PAT stored in secrets (simpler but less secure)
# 3. Use pull_request_target trigger (has security implications)
# - "Required status checks" - waiting for CI checks to pass
# - "Required approving review" - waiting for approval
set -o pipefail
if ! gh pr merge --auto --merge "${{ steps.pr.outputs.number }}" --repo "${{ github.repository }}" 2>&1 | tee /tmp/gh-output.txt; then
if grep -qE "auto-merge is already enabled|not authorized for this protected branch|[Rr]equired.*status.*check|[Rr]equired approving review|[Rr]equired.*review" /tmp/gh-output.txt; then
if grep -qE "auto-merge is already enabled|[Rr]equired.*status.*check|[Rr]equired approving review|[Rr]equired.*review" /tmp/gh-output.txt; then
echo "Auto-merge not enabled yet - this is expected when requirements are not met or already enabled"
if grep -q "not authorized for this protected branch" /tmp/gh-output.txt; then
echo ""
echo "NOTE: The 'not authorized for this protected branch' error typically means:"
echo " - The GITHUB_TOKEN has restricted permissions when triggered by Dependabot PRs"
echo " - To fix this, consider using a GitHub App token or PAT with appropriate permissions"
echo " - See workflow comments for more details"
fi
exit 0
else
echo "Unexpected error enabling auto-merge:"
Expand All @@ -88,4 +69,4 @@ jobs:
fi
fi
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.WORKFLOW_PAT }}
Loading