feat: experimental AI-assisted Dependabot auto-merge agent#1229
Draft
hjgraca wants to merge 5 commits into
Draft
feat: experimental AI-assisted Dependabot auto-merge agent#1229hjgraca wants to merge 5 commits into
hjgraca wants to merge 5 commits into
Conversation
Adds a label-triggered, one-shot agent that judges whether a Dependabot PR is low-risk (patch/minor, green CI, lockfile-only diff) within an explicit in-skill policy, then approves + enables GitHub auto-merge — otherwise holds it for a human. API-only; never runs PR code. Actions SHA-pinned to the versions already trusted in secure_workflows.yml. Tracking issue #1228. Requires repo vars AWS_ROLE_ARN/AWS_REGION and the auto-merge + Actions-approval repo settings before it can run.
boring-cyborg
Bot
added
github-actions
powertools-for-aws-oss-automation
Bot
added
the
size/M
powertools-for-aws-oss-automation
Bot
added
size/M
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Removes the run-time dependency on an external repo (degit). The github-pr-label-actions agent is now committed under .github/agents/dependabot-automerge/, and the workflow runs it from there with npm ci (deps pinned + integrity-checked via package-lock). No external source is fetched at run time. Verified: npm ci + tsc + flue build + npm test (5) green in the vendored location.
powertools-for-aws-oss-automation
Bot
added
size/XL
Addresses the SonarCloud finding (JavaScript package manager scripts should not be executed during installation). Verified the vendored agent still installs, type-checks, builds, tests (5), and runs end-to-end with --ignore-scripts.
powertools-for-aws-oss-automation
Bot
added
size/XL
Object.values() already returns a fresh array; [...Object.values(x)] clones it unnecessarily. Use Object.values(githubTools) directly.
powertools-for-aws-oss-automation
Bot
added
size/XL
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Issue number: #1228
Changes
Adds an experimental, label-triggered workflow that runs an AI agent to
auto-merge low-risk Dependabot PRs. On a PR labelled
dependenciesauthored bydependabot[bot], the agent judges whether the change is low-risk within anexplicit, in-skill policy — patch/minor only (never major/unknown), combined
CI green, manifest/lockfile-only diff — and if so approves it and enables GitHub
auto-merge (which still waits for all required checks). Otherwise it comments
why and holds the PR for a human.
The agent is the
github-pr-label-actionsreference architecture fromagentic-sdlc. It works entirely
through the GitHub API and never checks out or runs PR code. It is vendored
in-tree under
.github/agents/dependabot-automerge/, so no external source repois fetched at run time (its npm deps install from a pinned, integrity-checked
package-lock.jsonwith--ignore-scripts).Opened as a draft — see the open questions in #1228. Notably:
pull_request_target(gated todependencies+dependabot[bot]),whereas this repo otherwise prefers the
record_pr→workflow_runpattern.Happy to rework to that style if preferred.
account with an OIDC role scoped to Bedrock — provisioning that is a
prerequisite the team would need to own before this runs beyond an experiment.
User experience
Before: Dependabot dependency PRs (e.g. GitHub-Actions SHA bumps, NuGet
patch/minor) are reviewed and merged manually by maintainers.
After: Clearly-low-risk Dependabot PRs are approved and set to auto-merge
automatically once required checks pass; anything outside the policy is held with
an explanatory comment, so maintainers only look at the ones that need judgement.
Prerequisites (repo settings/variables, not created by this PR):
AWS_ROLE_ARN(Bedrock-only OIDC role) andAWS_REGIONChecklist
Acknowledgment
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.