diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..a0886db --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,37 @@ +name: Dependabot Auto-Merge + +on: + pull_request: + types: [opened, synchronize, reopened] + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Wait for CI to complete + uses: lewagon/wait-on-check-action@v1.3.4 + with: + ref: ${{ github.event.pull_request.head.sha }} + check-name: 'build-and-test' + repo-token: ${{ secrets.GITHUB_TOKEN }} + wait-interval: 10 + + - name: Enable auto-merge for Dependabot PRs + if: | + (steps.metadata.outputs.update-type == 'version-update:semver-minor' || + steps.metadata.outputs.update-type == 'version-update:semver-patch') + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 11da82d..d57ca43 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -130,6 +130,22 @@ FunctionalStateMachine/ 4. **Add CHANGELOG entry** under `[Unreleased]` 5. **Submit pull request** with bug description +## Dependency Management + +### Dependabot Auto-Merge + +This repository uses Dependabot to keep dependencies up to date. To reduce maintenance burden, Dependabot PRs for **minor** and **patch** updates are automatically merged when all tests pass. + +**How it works:** +- Dependabot creates PRs for NuGet and GitHub Actions updates weekly +- Minor (0.x.0) and patch (0.0.x) updates are auto-merged after CI passes +- Major version updates (x.0.0) require manual review due to potential breaking changes + +**Security:** +- Auto-merge only applies to version updates, not security vulnerabilities +- All updates run the full CI test suite before merging +- Failed tests block auto-merge + ## Release Process Releases are managed by maintainers following semantic versioning: