From 972bcb919e3bf58257d1ced4570413f5ab823c6c Mon Sep 17 00:00:00 2001 From: "Timothy P. Ellsworth Bowers" Date: Thu, 1 Jan 2026 11:36:23 -0700 Subject: [PATCH] Set dependabot to point to / act on `admin` branch modified: .github/dependabot.yml new file: .github/workflows/admin-orchestrator.yml --- .github/dependabot.yml | 4 +- .github/workflows/admin-orchestrator.yml | 101 +++++++++++++++++++++++ 2 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/admin-orchestrator.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6caa65e..29b9fdf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,7 +6,8 @@ version: 2 updates: - package-ecosystem: "github-actions" # See documentation for possible values - directory: ".github/workflows" # Location of package manifests + directory: "/" + target-branch: "admin" schedule: interval: "monthly" groups: @@ -17,6 +18,7 @@ updates: # Maintain dependencies for pip - package-ecosystem: "pip" directory: "/" # Location of package manifests + target-branch: "admin" registries: "*" labels: - "pip dependencies" diff --git a/.github/workflows/admin-orchestrator.yml b/.github/workflows/admin-orchestrator.yml new file mode 100644 index 0000000..51995cb --- /dev/null +++ b/.github/workflows/admin-orchestrator.yml @@ -0,0 +1,101 @@ +name: Admin branch orchestration + +on: + create: + + push: + branches: + - "main" + - "develop" + + schedule: + - cron: "0 3 * * 1" # Weekly, Monday 03:00 UTC + + workflow_dispatch: + + pull_request: + branches: + - admin + pull_request_review: + types: + - submitted + check_suite: + types: + - completed + +permissions: + contents: write + pull-requests: write + +jobs: + admin-orchestrator: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + # ------------------------------------------------------------ + # Use fixed base branch: develop + # ------------------------------------------------------------ + - name: Set base branch + id: default + run: | + echo "branch=develop" >> "$GITHUB_OUTPUT" + + # ------------------------------------------------------------ + # Ensure admin branch exists + # ------------------------------------------------------------ + - name: Ensure admin branch exists + run: | + if git show-ref --verify --quiet refs/remotes/origin/admin; then + echo "admin branch already exists" + else + git checkout "${{ steps.default.outputs.branch }}" + git checkout -b admin + git push origin admin + fi + + # ------------------------------------------------------------ + # Periodically rebase admin onto develop (true rebase) + # ------------------------------------------------------------ + - name: Rebase admin onto default + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'push' + run: | + set -e + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + git fetch origin + git checkout admin + + # Rebase admin commits on top of develop + git rebase origin/${{ steps.default.outputs.branch }} + + # Push updated admin branch + git push --force-with-lease origin admin + + # ------------------------------------------------------------ + # Guardrail: warn if non-Dependabot PR targets admin + # (no hard failure without branch protection) + # ------------------------------------------------------------ + - name: Warn on non-Dependabot PRs + if: github.event_name == 'pull_request' + run: | + if [[ "${{ github.actor }}" != "dependabot[bot]" ]]; then + echo "::warning::PR to admin opened by non-Dependabot actor" + fi + + # ------------------------------------------------------------ + # Auto-merge Dependabot PRs + # ------------------------------------------------------------ + - name: Auto-merge Dependabot PR + if: | + github.event_name == 'pull_request' && + github.event.pull_request.user.login == 'dependabot[bot]' + uses: peter-evans/enable-pull-request-automerge@v3 + with: + pull-request-number: ${{ github.event.pull_request.number }} + merge-method: squash