Conversation
beets
commented
Mar 17, 2026
beets
commented
- add permission to automerge (content: write) -- without this, automerged and approved pr's were still blocked from merging
- add a 7 day cooldown period to reduce supply chain attack and regression risks. this added a bunch of complexity, by having to wait for the pr's to sit for a week before the workflow goes through
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
| for PR_URL in $PRS; do | ||
| echo "Processing $PR_URL..." | ||
|
|
||
| # Record current commit SHA | ||
| OLD_SHA=$(gh pr view "$PR_URL" --json commits -q '.commits[-1].oid') | ||
|
|
||
| # Trigger a rebase to ensure the PR is up to date | ||
| gh pr comment "$PR_URL" --body "@dependabot rebase" | ||
|
|
||
| echo "Waiting up to 5 minutes for rebase to complete..." | ||
| REBASED=false | ||
| for i in {1..20}; do | ||
| sleep 15 | ||
| NEW_SHA=$(gh pr view "$PR_URL" --json commits -q '.commits[-1].oid') | ||
| if [ "$NEW_SHA" != "$OLD_SHA" ]; then | ||
| echo "Rebase completed. New SHA: $NEW_SHA" | ||
| REBASED=true | ||
| break | ||
| fi | ||
| done | ||
|
|
||
| # If the SHA changed, the rebase force-push will automatically trigger | ||
| # the pull_request_target event, which handles posting /gcbrun. | ||
| # We only post /gcbrun here if no rebase occurred (e.g., already up to date). | ||
| if [ "$REBASED" = "false" ]; then | ||
| gh pr comment "$PR_URL" --body "/gcbrun" | ||
| fi | ||
|
|
||
| # Approve the PR (ignore if already approved) | ||
| gh pr review --approve "$PR_URL" || true | ||
|
|
||
| # Enable auto-merge for the PR | ||
| gh pr merge --auto --squash "$PR_URL" || true | ||
| done No newline at end of file |
There was a problem hiding this comment.
I'm worried this approach may not work well when there are many PRs to merge. Given how long our CI checks take, we'll end up in a race condition between PRs, and waste time rerunning checks for subsequent PRs.
Here's a summary I got from Gemini:
Because the script processes PRs sequentially in a for loop, you hit a massive synchronization problem:
The "Out-of-Date Cascade":
The script looks at PR 1, triggers a rebase, waits for the commit SHA to change, approves it, and enables auto-merge.
Immediately after, it moves to PR 2, triggers a rebase (against the current master), approves, and enables auto-merge.
Now, both PR 1 and PR 2 are running tests (presumably via /gcbrun).
When PR 1 finishes testing and merges, master is updated.
Instantly, PR 2 is now out-of-date. If your repository requires branches to be up-to-date before merging, GitHub will cancel PR 2's auto-merge, or Dependabot will trigger another rebase, which cancels the currently running /gcbrun tests and starts everything over. Multiply this by 5 or 10 PRs, and you have a thrashing CI pipeline that wastes hours of runner time.
The 5-Minute Bottleneck:
The script waits up to 5 minutes (20 * 15 seconds) for each PR to rebase. If you have 10 old Dependabot PRs, this single GitHub Action could hang around for 50 minutes just polling for commit SHAs.
Double-Triggering Tests:
If Dependabot takes 5 minutes and 1 second to finish a rebase, your loop times out, assumes no rebase happened, and posts /gcbrun. A second later, the rebase finishes, triggering your pull_request_target job, which posts a second /gcbrun.
There was a problem hiding this comment.
thanks for the feedback on this. mitigated this by checking for only one dependabot pr with automerge allowed at any one time, and updating the frequency to check this every 15 minutes instead.
juliawu
left a comment
juliawu
left a comment
There was a problem hiding this comment.
Approving to get the write permissions and 7 day wait in.
| run: | | ||
| # Fetch open dependabot PRs | ||
| # Filter for PRs created at least 7 days ago | ||
| PRS=$(gh pr list \ |
There was a problem hiding this comment.
gh pr list seems to have a default limit of 30 PRs. we currently have over 100. You can add the --limit param to get more
There was a problem hiding this comment.
updated this to only process one PR at a time to reduce the freshness contention. but also applied this fix so we are able to get to the valid PRs.
| gh pr review --approve "$PR_URL" || true | ||
|
|
||
| # Enable auto-merge for the PR | ||
| gh pr merge --auto --squash "$PR_URL" || true |
There was a problem hiding this comment.
Have you been able to test this?
Im wondering if you'd run into issues with the presubmit checks?
There was a problem hiding this comment.
yeah, it's been running and gotten through the whole workflow including auto-merge. the missing piece was the content:write permission for the workflow
beets
left a comment
beets
left a comment
There was a problem hiding this comment.
thanks for the detailed review! tried addressing your comments and will let this try over the weekend when it's quieter. i'll keep an eye on it and rollback if i run into issues
| gh pr review --approve "$PR_URL" || true | ||
|
|
||
| # Enable auto-merge for the PR | ||
| gh pr merge --auto --squash "$PR_URL" || true |
There was a problem hiding this comment.
yeah, it's been running and gotten through the whole workflow including auto-merge. the missing piece was the content:write permission for the workflow
| for PR_URL in $PRS; do | ||
| echo "Processing $PR_URL..." | ||
|
|
||
| # Record current commit SHA | ||
| OLD_SHA=$(gh pr view "$PR_URL" --json commits -q '.commits[-1].oid') | ||
|
|
||
| # Trigger a rebase to ensure the PR is up to date | ||
| gh pr comment "$PR_URL" --body "@dependabot rebase" | ||
|
|
||
| echo "Waiting up to 5 minutes for rebase to complete..." | ||
| REBASED=false | ||
| for i in {1..20}; do | ||
| sleep 15 | ||
| NEW_SHA=$(gh pr view "$PR_URL" --json commits -q '.commits[-1].oid') | ||
| if [ "$NEW_SHA" != "$OLD_SHA" ]; then | ||
| echo "Rebase completed. New SHA: $NEW_SHA" | ||
| REBASED=true | ||
| break | ||
| fi | ||
| done | ||
|
|
||
| # If the SHA changed, the rebase force-push will automatically trigger | ||
| # the pull_request_target event, which handles posting /gcbrun. | ||
| # We only post /gcbrun here if no rebase occurred (e.g., already up to date). | ||
| if [ "$REBASED" = "false" ]; then | ||
| gh pr comment "$PR_URL" --body "/gcbrun" | ||
| fi | ||
|
|
||
| # Approve the PR (ignore if already approved) | ||
| gh pr review --approve "$PR_URL" || true | ||
|
|
||
| # Enable auto-merge for the PR | ||
| gh pr merge --auto --squash "$PR_URL" || true | ||
| done No newline at end of file |
There was a problem hiding this comment.
thanks for the feedback on this. mitigated this by checking for only one dependabot pr with automerge allowed at any one time, and updating the frequency to check this every 15 minutes instead.
| run: | | ||
| # Fetch open dependabot PRs | ||
| # Filter for PRs created at least 7 days ago | ||
| PRS=$(gh pr list \ |
There was a problem hiding this comment.
updated this to only process one PR at a time to reduce the freshness contention. but also applied this fix so we are able to get to the valid PRs.
3 participants
