refactor: Improve Dependabot PR grouping workflow by switching from cherry-pick to merge strategy, enhancing conflict resolution and sorting by PR number

Harsh-Microsoft · Harsh-Microsoft · commit 252ad5b435b6 · 2025-07-17T17:23:58.000+05:30
diff --git a/.github/workflows/group-dependabot-security-updates.yml b/.github/workflows/group-dependabot-security-updates.yml
@@ -1,15 +1,17 @@
 # Workflow: Group Dependabot PRs
 # Description:
 # This GitHub Actions workflow automatically groups open Dependabot PRs by ecosystem (pip, npm).
-# It cherry-picks individual PR changes into grouped branches, resolves merge conflicts automatically, and opens consolidated PRs.
+# It merges individual PR changes into grouped branches in chronological order (sorted by PR number), resolves merge conflicts automatically, and opens consolidated PRs.
 # It also closes the original Dependabot PRs and carries over their labels and metadata.
 # Improvements:
-# - Handles multiple conflicting files during cherry-pick
+# - Uses merge strategy instead of cherry-pick for better conflict resolution
+# - Sorts PRs by number at fetch time for consistent chronological processing
+# - Handles multiple conflicting files during merge
 # - Deduplicates entries in PR description
 # - Avoids closing original PRs unless grouped PR creation succeeds
 # - More efficient retry logic
 # - Ecosystem grouping is now configurable via native YAML map
-# - Uses safe namespaced branch naming (e.g. actions/grouped-...) to avoid developer conflict
+# - Uses safe namespaced branch naming (e.g. security/grouped-...) to avoid developer conflict
 # - Ensures PR body formatting uses real newlines for better readability
 # - Adds strict error handling for script robustness
 # - Accounts for tool dependencies (jq, gh) and race conditions
@@ -74,14 +76,14 @@ jobs:
         run: |
           set -euo pipefail
 
-      - name: Fetch open Dependabot PRs targeting main
+      - name: Fetch open Dependabot PRs targeting main (sorted by PR number)
         id: fetch_prs
         run: |
           gh pr list \
             --search "author:dependabot[bot] base:$TARGET_BRANCH is:open" \
             --limit 100 \
             --json number,title,headRefName,labels,files,url \
-            --jq '[.[] | {number, title, url, ref: .headRefName, labels: [.labels[].name], files: [.files[].path]}]' > prs.json
+            --jq '[.[] | {number, title, url, ref: .headRefName, labels: [.labels[].name], files: [.files[].path]}] | sort_by(.number)' > prs.json
           cat prs.json
 
       - name: Validate prs.json
@@ -107,14 +109,16 @@ jobs:
         run: |
           echo "Running in dry-run mode. No changes will be pushed or PRs created/closed."
 
-      - name: Group PRs by ecosystem and cherry-pick with retry
+      - name: Group PRs by ecosystem and merge in sorted order
         run: |
           declare -A GROUP_CONFIG=(
             [pip]="${GROUP_CONFIG_PIP:-backend}"
             [npm]="${GROUP_CONFIG_NPM:-frontend}"
             [yarn]="${GROUP_CONFIG_YARN:-frontend}"
           )
           mkdir -p grouped
+          
+          # Group PRs by ecosystem (data is already sorted by PR number)
           jq -c '.[]' prs.json | while read pr; do
             ref=$(echo "$pr" | jq -r '.ref')
             number=$(echo "$pr" | jq -r '.number')
@@ -136,93 +140,132 @@ jobs:
             exit 0
           fi
 
+          # Pre-load PR metadata for efficient lookup
           declare -A pr_metadata_map
           while IFS=$'\t' read -r number title url labels; do
             pr_metadata_map["$number"]="$title|$url|$labels"
           done < <(jq -r '.[] | "\(.number)\t\(.title)\t\(.url)\t\(.labels | join(","))"' prs.json)
 
+          # Process each group
           for file in "${grouped_files[@]}"; do
             group_name=$(basename "$file" .txt)
             safe_group_name=$(echo "$group_name" | tr -c '[:alnum:]_-' '-')
             branch_name="security/grouped-${safe_group_name}-updates"
+            
+            echo "Processing group: $group_name (branch: $branch_name)"
+            
+            # Create or checkout the grouped branch
             git checkout -B "$branch_name"
 
-            git fetch origin "$branch_name" || true
-            git merge origin/"$branch_name" --no-edit || true
+            # Try to merge existing grouped branch if it exists on remote
+            git fetch origin "$branch_name" 2>/dev/null || true
+            if git rev-parse "origin/$branch_name" >/dev/null 2>&1; then
+              echo "Merging existing remote branch origin/$branch_name"
+              git merge origin/"$branch_name" --no-edit || true
+            fi
 
+            # Merge PRs in sorted order (file is already sorted by PR number from jq)
+            merge_success=true
             while read -r number ref group; do
+              echo "Merging PR #$number ($ref) into $branch_name"
               git fetch origin "$ref"
-              if ! git cherry-pick FETCH_HEAD; then
-                echo "Conflict found in $ref. Attempting to resolve."
+              
+              if ! git merge FETCH_HEAD --no-edit -m "Merge PR #$number: $(echo "${pr_metadata_map["$number"]}" | cut -d'|' -f1)"; then
+                echo "Conflict found when merging PR #$number ($ref). Attempting to resolve."
                 conflict_files=($(git diff --name-only --diff-filter=U))
+                
                 if [ ${#conflict_files[@]} -gt 0 ]; then
                   echo "Resolving conflicts in files: ${conflict_files[*]}"
                   for conflict_file in "${conflict_files[@]}"; do
-                    echo "Resolving conflict in $conflict_file"
+                    echo "Resolving conflict in $conflict_file using theirs strategy"
                     git checkout --theirs "$conflict_file"
                     git add "$conflict_file"
                   done
-                  git cherry-pick --continue || {
-                    echo "Failed to continue cherry-pick. Aborting."
-                    git cherry-pick --abort
-                    continue 2
-                  }
+                  
+                  if git commit --no-edit -m "Merge PR #$number: $(echo "${pr_metadata_map["$number"]}" | cut -d'|' -f1) (with conflict resolution)"; then
+                    echo "Successfully resolved conflicts and committed merge for PR #$number"
+                  else
+                    echo "Failed to commit merge resolution for PR #$number. Aborting merge."
+                    git merge --abort
+                    merge_success=false
+                    continue
+                  fi
                 else
-                  echo "No conflicting files found. Aborting."
-                  git cherry-pick --abort
-                  continue 2
+                  echo "No conflicting files found. Aborting merge for PR #$number."
+                  git merge --abort
+                  merge_success=false
+                  continue
                 fi
+              else
+                echo "Successfully merged PR #$number without conflicts"
               fi
             done < "$file"
 
+            if [ "$merge_success" = false ]; then
+              echo "Some merges failed for group $group_name. Skipping push and PR creation."
+              continue
+            fi
+
+            # Push the grouped branch
             if [ "$DRY_RUN" == "true" ]; then
               echo "[DRY-RUN] Skipping git push for $branch_name"
             else
               git push --force origin "$branch_name"
             fi
 
+            # Build PR description with all included PRs (in sorted order)
             new_lines=""
             while read -r number ref group; do
               IFS="|" read -r title url _ <<< "${pr_metadata_map["$number"]}"
-              new_lines+="$title - [#$number]($url)\n"
+              new_lines+="- $title - [#$number]($url)\n"
             done < "$file"
 
-            pr_title="chore(deps): bump grouped $group_name Dependabot updates"
+            pr_title="chore(deps): bump grouped $group_name dependencies"
             existing_url=$(gh pr list --head "$branch_name" --base "$TARGET_BRANCH" --state open --json url --jq '.[0].url // empty')
 
+            # Create or update the grouped PR
             if [ -n "$existing_url" ]; then
               echo "PR already exists: $existing_url"
               pr_url="$existing_url"
               current_body=$(gh pr view "$pr_url" --json body --jq .body)
+              
+              # Deduplicate entries in PR description
               IFS=$'\n' read -d '' -r -a current_lines < <(printf '%s\0' "$current_body")
               IFS=$'\n' read -d '' -r -a new_lines_arr < <(printf '%b\0' "$new_lines")
               declare -A seen
               for line in "${current_lines[@]}"; do
                 seen["$line"]=1
               done
+              
               filtered_lines=""
               for line in "${new_lines_arr[@]}"; do
                 if [[ -n "$line" && -z "${seen["$line"]}" ]]; then
                   filtered_lines+="$line\n"
                 fi
               done
+              
               if [ -n "$filtered_lines" ]; then
                 new_body="$current_body"$'\n'$filtered_lines
               else
                 new_body="$current_body"
               fi
+              
               if [ "$DRY_RUN" == "true" ]; then
                 echo "[DRY-RUN] Would update PR body for $pr_url"
+                echo "New content would be:"
+                echo "$new_body"
               else
                 tmpfile=$(mktemp)
                 printf '%s' "$new_body" > "$tmpfile"
                 gh pr edit "$pr_url" --body-file "$tmpfile"
                 rm -f "$tmpfile"
+                echo "Updated existing PR: $pr_url"
               fi
             else
-              pr_body=$(printf "This PR groups multiple open PRs by Dependabot for %s.\n\n%b" "$group_name" "$new_lines")
+              pr_body=$(printf "This PR groups multiple open Dependabot PRs for the %s ecosystem.\n\n**Included PRs:**\n%b" "$group_name" "$new_lines")
               if [ "$DRY_RUN" == "true" ]; then
                 echo "[DRY-RUN] Would create PR titled: $pr_title"
+                echo "PR body would be:"
                 echo "$pr_body"
                 pr_url=""
               else
@@ -231,28 +274,41 @@ jobs:
                   --body "$pr_body" \
                   --base "$TARGET_BRANCH" \
                   --head "$branch_name")
+                echo "Created new grouped PR: $pr_url"
               fi
             fi
 
+            # Add labels and close original PRs only if grouped PR was created/updated successfully
             if [ -n "$pr_url" ]; then
-              for number in $(cut -d ' ' -f1 "$file"); do
+              while read -r number ref group; do
                 IFS="|" read -r _ _ labels <<< "${pr_metadata_map["$number"]}"
-                IFS="," read -ra label_arr <<< "$labels"
-                for label in "${label_arr[@]}"; do
-                  if [ "$DRY_RUN" == "true" ]; then
-                    echo "[DRY-RUN] Would add label $label to $pr_url"
-                  else
-                    gh pr edit "$pr_url" --add-label "$label"
-                  fi
-                done
+                
+                # Add labels from original PRs to grouped PR
+                if [ -n "$labels" ]; then
+                  IFS="," read -ra label_arr <<< "$labels"
+                  for label in "${label_arr[@]}"; do
+                    if [ -n "$label" ]; then
+                      if [ "$DRY_RUN" == "true" ]; then
+                        echo "[DRY-RUN] Would add label '$label' to $pr_url"
+                      else
+                        gh pr edit "$pr_url" --add-label "$label" 2>/dev/null || echo "Failed to add label '$label'"
+                      fi
+                    fi
+                  done
+                fi
+                
+                # Close original PR
                 if [ "$DRY_RUN" == "true" ]; then
                   echo "[DRY-RUN] Would close PR #$number"
                 else
-                  gh pr close "$number" --comment "Grouped into $pr_url."
+                  gh pr close "$number" --comment "Grouped into $pr_url for easier review and testing." || echo "Failed to close PR #$number"
                 fi
-              done
-              echo "Grouped PR created. Leaving branch $branch_name for now."
+              done < "$file"
+              
+              echo "✅ Successfully processed group '$group_name' with branch '$branch_name'"
             else
-              echo "Grouped PR was not created. Skipping closing of original PRs."
+              echo "❌ Grouped PR was not created for group '$group_name'. Skipping closing of original PRs."
             fi
           done
+          
+          echo "🎉 Workflow completed successfully!"
