Add dependabot automation workflows

[seniakalma]

Add an automation to close dependabot PRs that fail the tests, and one to merge PRs that pass them

[seniakalma]

@PaulLaux What do you think?

[PaulLaux]

@PaulLaux What do you think?

Not sure.
This one fails: #67 but the solution is not to close it silently but to fix the errors (api change) and try again. If we auto close we might miss security updates, no?

[seniakalma]

@PaulLaux What do you think?

Not sure. This one fails: #67 but the solution is not to close it silently but to fix the errors (api change) and try again. If we auto close we might miss security updates, no?

I would say it depends on the context, if we see it as dependabot automation couldn't update dependencies without breaking our tests, it makes sense. We will have the PR/notifications as an alert that manual intervention is required.

[qodo-code-review]

Review Summary by Qodo

Add auto-merge workflow for Dependabot pull requests

✨ Enhancement

Walkthroughs

Description

• Add GitHub Actions workflow for auto-merging Dependabot PRs
• Automatically approve and merge non-major version updates
• Uses Dependabot metadata to filter update types
• Enables squash merge strategy for clean commit history

Diagram

flowchart LR
  A["Dependabot PR Created"] -- "Fetch metadata" --> B["Check Update Type"]
  B -- "Not semver-major" --> C["Approve PR"]
  C -- "Enable auto-merge" --> D["PR Auto-Merged"]
  B -- "Is semver-major" --> E["Skip Auto-Merge"]

Loading

File Changes

1. .github/workflows/dependabot-auto-merge.yml ⚙️ Configuration changes +33/-0

Auto-merge workflow for Dependabot PRs

• New GitHub Actions workflow triggered on pull request events
• Fetches Dependabot metadata to determine update type
• Automatically approves and enables auto-merge for non-major version updates
• Uses squash merge strategy with appropriate GitHub token permissions

.github/workflows/dependabot-auto-merge.yml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Privileged pull_request execution ✓ Resolved 🐞 Bug ⛨ Security

Description

This workflow runs on pull_request while granting contents: write/pull-requests: write, which
means the workflow definition is taken from the PR head branch and executes with a write-scoped
token. Because Dependabot is configured to open PRs for github-actions, a Dependabot PR that
modifies workflows can change this privileged automation and still run/approve/merge with write
permissions.

Code

.github/workflows/dependabot-auto-merge.yml[R3-8]

+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+

Evidence

The workflow is triggered by pull_request and explicitly grants write permissions, then performs
privileged PR operations (approve/enable auto-merge). The repo’s Dependabot config includes the
github-actions ecosystem, meaning Dependabot PRs can touch workflow files under
.github/workflows, which makes “workflow definition from PR head” a concrete risk surface for this
automation.

.github/workflows/dependabot-auto-merge.yml[3-8]
.github/dependabot.yml[21-34]
Best Practice: GitHub Actions security hardening guidance

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow runs on `pull_request` with write permissions, so the workflow file is taken from the PR head branch while using a write-scoped token.

### Issue Context
Dependabot is configured to update `github-actions`, which means Dependabot PRs can modify workflow files. For privileged operations (approving/merging PRs), the workflow should run from the base branch definition.

### Fix Focus Areas
- .github/workflows/dependabot-auto-merge.yml[3-8]

### Suggested change
- Switch the trigger to `pull_request_target`.
- Keep the job restricted to Dependabot PRs (keep/strengthen the `if:` guard).
- Do **not** check out PR code in this workflow (currently you don’t, which is good for `pull_request_target`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Auto-merges workflow updates 🐞 Bug ⛨ Security

Description

The only merge gate is “not semver-major”, so Dependabot PRs updating GitHub Actions/workflows will
be auto-approved and auto-merge-enabled like any other dependency update. This removes manual review
from changes that can directly alter CI behavior and repository privileges.

Code

.github/workflows/dependabot-auto-merge.yml[R20-29]

+      - name: Approve PR
+        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge
+        if: steps.metadata.outputs.update-type != 'version-update:semver-major'
+        run: gh pr merge --auto --squash "$PR_URL"

Evidence

Dependabot is explicitly configured to open PRs for the github-actions ecosystem, and this
workflow auto-approves and enables auto-merge for all non-semver-major updates without excluding
workflow/action updates.

.github/dependabot.yml[21-34]
.github/workflows/dependabot-auto-merge.yml[20-29]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The automation auto-approves/auto-merges Dependabot PRs even when they update GitHub Actions/workflows, which are high-privilege repo changes.

### Issue Context
Dependabot is configured for the `github-actions` ecosystem.

### Fix Focus Areas
- .github/dependabot.yml[21-34]
- .github/workflows/dependabot-auto-merge.yml[20-29]

### Suggested change
Add an explicit guard to skip auto-approval/auto-merge when the Dependabot update is for `github-actions` (if available from `fetch-metadata` outputs), and/or when changed files include `.github/workflows/**`. For example:
- Query changed files via `gh pr view "$PR_URL" --json files -q '.files[].path'` and exit non-zero/skip if any match `.github/workflows/`.
- Alternatively, use metadata outputs (if present) to detect the ecosystem and skip when it is `github-actions`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Unpinned GitHub Action 🐞 Bug ⛨ Security

Description

The workflow uses dependabot/fetch-metadata@v2, which is a mutable tag and can change what code
runs over time. Because this job runs with write-scoped GITHUB_TOKEN permissions, a
compromised/retargeted action version would execute with elevated repo access.

Code

.github/workflows/dependabot-auto-merge.yml[R14-18]

+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"

Evidence

The workflow invokes an external action by tag (@v2) and also grants write permissions in the same
workflow, increasing the impact of any upstream action compromise or tag movement.

.github/workflows/dependabot-auto-merge.yml[5-7]
.github/workflows/dependabot-auto-merge.yml[14-18]
Best Practice: GitHub Actions security hardening guidance

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`dependabot/fetch-metadata` is referenced via a mutable tag (`@v2`).

### Issue Context
This workflow has write permissions, so the action runs with elevated access.

### Fix Focus Areas
- .github/workflows/dependabot-auto-merge.yml[14-18]

### Suggested change
Replace `dependabot/fetch-metadata@v2` with a full commit SHA (and optionally a comment noting the corresponding release tag), so the workflow executes immutable code. Dependabot can then be used to keep the SHA updated safely.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[PaulLaux]

Let's go with

name: Auto-merge Dependabot PRs
on: pull_request_target
permissions:
  contents: write
  pull-requests: write

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
      - name: Fetch Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Enable auto-merge for patch and minor updates
        if: |
          steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
          steps.metadata.outputs.update-type == 'version-update:semver-minor'
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

However, for this to work properly, we need to force Status checks that are required on the main branch. If not properly set, this will merge everything without any testing.

Currently, the only check that is set is rust fmt, while we need all the CI checks to be performed. I don't see a way to add all the CI checks; the list is empty.
Please update the YAML and add the CI checks before re-review.

https://github.com/QED-it/zcash_tx_tool/settings/branch_protection_rules/46841401

[seniakalma]

Let's go with

name: Auto-merge Dependabot PRs
on: pull_request_target
permissions:
  contents: write
  pull-requests: write

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
      - name: Fetch Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Enable auto-merge for patch and minor updates
        if: |
          steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
          steps.metadata.outputs.update-type == 'version-update:semver-minor'
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

However, for this to work properly, we need to force Status checks that are required on the main branch. If not properly set, this will merge everything without any testing.

Currently, the only check that is set is rust fmt, while we need all the CI checks to be performed. I don't see a way to add all the CI checks; the list is empty. Please update the YAML and add the CI checks before re-review.

https://github.com/QED-it/zcash_tx_tool/settings/branch_protection_rules/46841401

Updated the rules and code.
@PaulLaux Please review

[PaulLaux]

Let's try this. Please monitor if that's works as expected