Summary
The merge-bot still skips semver-major Dependabot bumps (holding them for human review) via the version-update:semver-major guard on the merge step. Per a maintainer decision, Dependabot should auto-merge every tier including semver-major — the required CI checks are the gate, not the version magnitude.
Current (drifted) behavior
.github/workflows/merge-bot-pull-request.yml merge-dependabot job carries:
# Skip semver-major NuGet bumps so they land via human review; ...
if: ... (steps.metadata.outputs.update-type != 'version-update:semver-major')
Desired behavior (already implemented in Utilities and LanguageTags)
Every tier auto-merges, semver-major included: the required checks are the gate, not the version bump.
Requested change
- Remove the
version-update:semver-major condition from the Dependabot merge step.
- Remove the now-unused
Get dependabot metadata step (it exists only to feed that guard) if nothing else consumes it.
- Update the repo's workflow contract docs (WORKFLOW.md D8.2 / diagram / trace, AGENTS.md invariant) accordingly.
Reference implementation: ptr727/homeassistant-purpleair (merge-bot + WORKFLOW.md/AGENTS.md updated to the every-tier policy). Root cause is template drift — see the companion issue in ptr727/ProjectTemplate.
Please also verify no already-open major Dependabot PRs are stuck (auto-merge only fires on opened/reopened, so existing ones may need a reopen after the fix lands).
Summary
The merge-bot still skips semver-major Dependabot bumps (holding them for human review) via the
version-update:semver-majorguard on the merge step. Per a maintainer decision, Dependabot should auto-merge every tier including semver-major — the required CI checks are the gate, not the version magnitude.Current (drifted) behavior
.github/workflows/merge-bot-pull-request.ymlmerge-dependabot job carries:Desired behavior (already implemented in
UtilitiesandLanguageTags)Requested change
version-update:semver-majorcondition from the Dependabot merge step.Get dependabot metadata step(it exists only to feed that guard) if nothing else consumes it.Reference implementation:
ptr727/homeassistant-purpleair(merge-bot + WORKFLOW.md/AGENTS.md updated to the every-tier policy). Root cause is template drift — see the companion issue inptr727/ProjectTemplate.Please also verify no already-open major Dependabot PRs are stuck (auto-merge only fires on opened/reopened, so existing ones may need a reopen after the fix lands).