demisto · BEAdi · Nov 25, 2025 · Nov 25, 2025 · Nov 25, 2025 · Nov 25, 2025
diff --git a/.github/workflows/dependabot_auto_merge.yml b/.github/workflows/dependabot_auto_merge.yml
@@ -5,6 +5,9 @@ permissions:
   pull-requests: write
   contents: write
 
+env:
+  MAJOR_VERSION_THRESHOLD: 20  # Configurable threshold for major version percentage increase
+
 jobs:
   dependabot:
     runs-on: ubuntu-latest
@@ -15,12 +18,82 @@ jobs:
         uses: dependabot/[email protected]
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Check for breaking changes
+        id: check_breaking
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        run: |
+          if echo "$PR_BODY" | grep -qi "breaking changes"; then
+            echo "has_breaking_changes=true" >> $GITHUB_OUTPUT
+            echo "Found 'Breaking Changes' in PR description - skipping automerge"
+          else
+            echo "has_breaking_changes=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Evaluate major version bump
+        id: evaluate_major
+        if: steps.metadata.outputs.update-type == 'version-update:semver-major'
+        env:
+          PREV_VERSION: ${{ steps.metadata.outputs.previous-version }}
+          NEW_VERSION: ${{ steps.metadata.outputs.new-version }}
+          THRESHOLD: ${{ env.MAJOR_VERSION_THRESHOLD }}
+        run: |
+          # Extract major version numbers
+          prev_major=$(echo "$PREV_VERSION" | cut -d. -f1)
+          new_major=$(echo "$NEW_VERSION" | cut -d. -f1)
+
+          echo "Previous major version: $prev_major"
+          echo "New major version: $new_major"
+
+          # Calculate percentage increase
+          if [ "$prev_major" -eq 0 ]; then
+            # Avoid division by zero - treat 0.x.x -> 1.x.x as 100% increase
+            percentage=100
+          else
+            percentage=$(awk "BEGIN {printf \"%.2f\", (($new_major - $prev_major) / $prev_major) * 100}")
+          fi
+
+          echo "Percentage increase: $percentage%"
+          echo "Threshold: $THRESHOLD%"
+
+          # Compare percentage with threshold
+          should_merge=$(awk "BEGIN {print ($percentage < $THRESHOLD) ? \"true\" : \"false\"}")
+
+          echo "should_merge_major=$should_merge" >> $GITHUB_OUTPUT
+          echo "percentage_increase=$percentage" >> $GITHUB_OUTPUT
+
+          if [ "$should_merge" = "true" ]; then
+            echo "Major version increase ($percentage%) is below threshold ($THRESHOLD%) - will automerge"
+          else
+            echo "Major version increase ($percentage%) exceeds threshold ($THRESHOLD%) - skipping automerge"
+          fi
+
       - name: Approve and auto-merge for Dependabot PRs
-        if: ${{contains(steps.metadata.outputs.dependency-names, 'demisto/*') || steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'}}
+        if: |
+          steps.check_breaking.outputs.has_breaking_changes != 'true' && (
+            contains(steps.metadata.outputs.dependency-names, 'demisto/*') ||
+            steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
+            steps.metadata.outputs.update-type == 'version-update:semver-minor' ||
+            (steps.metadata.outputs.update-type == 'version-update:semver-major' && steps.evaluate_major.outputs.should_merge_major == 'true')
+          )
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         run: |
-          echo "Aprovving and merging"
+          echo "Approving and merging"
           gh pr review --approve "$PR_URL"
           gh pr merge --auto --squash "$PR_URL"
+
+      - name: Skip automerge
+        if: |
+          steps.check_breaking.outputs.has_breaking_changes == 'true' ||
+          (steps.metadata.outputs.update-type == 'version-update:semver-major' && steps.evaluate_major.outputs.should_merge_major != 'true')
+        run: |
+          echo "Skipping automerge due to:"
+          if [ "${{ steps.check_breaking.outputs.has_breaking_changes }}" = "true" ]; then
+            echo "  - Breaking changes detected in PR description"
+          fi
+          if [ "${{ steps.metadata.outputs.update-type }}" = "version-update:semver-major" ] && [ "${{ steps.evaluate_major.outputs.should_merge_major }}" != "true" ]; then
+            echo "  - Major version increase (${{ steps.evaluate_major.outputs.percentage_increase }}%) exceeds threshold (${{ env.MAJOR_VERSION_THRESHOLD }}%)"
+          fi
diff --git a/README.md b/README.md
@@ -90,6 +90,7 @@ The script `docker/build_docker.sh` is used to build all modified Docker images.
 If you want to test how the script detects commit changes: Make sure you are working on a branch and the changes are committed. If you haven't committed the changes and want to run a local build you can run the script with a image name (which corresponds to a directory name) to the run the build on. For example:
 
 ```bash
+DOCKER_LOGIN_DONE=yes
 ./docker/build_docker.sh ldap
 ```
 

diff --git a/utils/auto_dockerfile_update/update_dockerfiles.py b/utils/auto_dockerfile_update/update_dockerfiles.py
@@ -36,11 +36,11 @@ def is_docker_file_outdated(
     if current_tag_version < latest_tag_version:
         return True
     elif current_tag == latest_tag and not no_timestamp_updates:
-        if last_updated and dateutil.parser.parse(last_updated) > dateutil.parser.parse(
-            dockerfile.get("last_modified")
-        ):
+        if last_updated:
+            tag_last_updated_dt = dateutil.parser.parse(last_updated).replace(tzinfo=timezone.utc)
+            dockerfile_last_modified_dt = dateutil.parser.parse(dockerfile.get("last_modified")).replace(tzinfo=timezone.utc)
             # if the latest tag update date is newer than the dockerfile
-            return True
+            return dockerfile_last_modified_dt < tag_last_updated_dt
 
     return False
 
@@ -371,9 +371,8 @@ def cleanup_outdated_autoupdate_branches(git_repo: Repo, base_image: str, latest
                 if branch_version < latest_version:
                     print(f"  Deleting outdated branch: {branch_name} (targets {branch_target_version} < {latest_tag_name})")
 
-                    # Delete remote branch - remove the "autoupdate/" prefix for the delete command
-                    delete_branch_name = branch_name.replace("autoupdate/", "")
-                    git_repo.git.push("origin", "--delete", delete_branch_name)
+                    # Delete remote branch - use the full branch name as it appears remotely
+                    git_repo.git.push("origin", "--delete", branch_name)
                     print(f"  ✓ Deleted remote branch: {branch_name}")
 
                 elif branch_target_version == latest_tag_name:
-Original file line number
+Diff line change
@@ Expand Up @@
     If you want to test how the script detects commit changes: Make sure you are working on a branch and the changes are committed. If you haven't committed the changes and want to run a local build you can run the script with a image name (which corresponds to a directory name) to the run the build on. For example:
     ```bash
+    DOCKER_LOGIN_DONE=yes
     ./docker/build_docker.sh ldap
     ```
@@ Expand Down @@