ppkarwasz opened a new issue, #417:
URL: https://github.com/apache/logging-parent/issues/417
With the introduction of the **Review-to-Commit** process, the current
`merge-dependabot-reusable` GitHub Actions workflow needs to be revised. The
RTC policy introduces new constraints that directly impact how Dependabot PRs
can be processed and merged.
## Problems
1. **Review requirement:**
The workflow can no longer merge PRs directly, as the RTC policy mandates
at least one code review before merging.
2. **Triggering required checks:**
Any commits made by the workflow (e.g., adding changelog files) must
trigger all required status checks. This behavior is only guaranteed if the
workflow uses a **Personal Access Token (PAT)** with appropriate permissions,
instead of the default `GITHUB_TOKEN`.
3. **Support for maintainers:**
To ease the additional manual steps introduced by RTC, the updated
workflow should:
* Handle PRs that update **multiple dependencies at once** (e.g., bundler
mode).
* Enable **GitHub's auto-merge** feature after making its changes, so the
PR merges automatically once it receives a review and passes checks.
## Propose solution
* Create a new reusable workflow (e.g., `process-dependabot-reusable`) that
addresses these constraints.
* Ensure it uses a PAT to push changelog updates and re-run checks.
* Add logic to support multi-dependency updates and enable auto-merge.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
