Auto-merge every Dependabot tier, drop semver-major skip (#799)#800
Merged
Conversation
The merge-bot held semver-major NuGet bumps for human review via a version-update:semver-major guard fed by dependabot/fetch-metadata. Per the every-tier policy already in Utilities and LanguageTags, the required CI checks are the gate, not the version magnitude. - Remove the metadata step and the semver-major guard from the merge step so every in-repo Dependabot PR auto-merges on open once checks pass. - Update the workflow contract to match: WORKFLOW.md self-sufficiency prose, merge-bot diagram, automation prose, D8.2, D8/D9 summary, S12 trace row, and the AGENTS.md Dependabot invariant. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Aligns the repository’s Dependabot auto-merge policy and its documented workflow contract: semver-major bumps are no longer held for human review, and auto-merge is gated solely by the required CI checks.
Changes:
- Removes the Dependabot metadata fetch step and the semver-major NuGet guard from the merge-bot workflow, allowing auto-merge for all Dependabot PR tiers.
- Updates WORKFLOW.md’s automation prose, mermaid diagram, behavioral contract (D8.2), and trace scenario (S12) to match the new policy.
- Updates AGENTS.md to reflect the “every tier auto-merges” invariant.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/merge-bot-pull-request.yml |
Drops metadata-based semver-major gating so all Dependabot PRs can enable auto-merge on open/reopen. |
WORKFLOW.md |
Updates the workflow contract documentation (prose/diagram/contract/trace) to state that CI required checks are the sole gate. |
AGENTS.md |
Updates the Dependabot policy invariant to remove the semver-major exception. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #799.
Summary
The merge-bot held semver-major NuGet bumps for human review via a
version-update:semver-majorguard fed bydependabot/fetch-metadata. Per the every-tier policy already implemented inUtilitiesandLanguageTags, the required CI checks are the gate, not the version magnitude.Changes
.github/workflows/merge-bot-pull-request.yml— remove theGet dependabot metadata stepand theversion-update:semver-majorguard on the merge step. Every in-repo Dependabot PR now auto-merges on open once the required checks pass (--autostill blocks a breaking bump until checks go green). Now matches theUtilitiesreference.WORKFLOW.md— self-sufficiency prose, merge-bot mermaid diagram (dropped thesemver-major NuGet?gate node), automation prose, D8.2, D8/D9 summary, and the S12 trace row.AGENTS.md— Dependabot auto-merge invariant..github/copilot-instructions.md— no change; it never carried the merge policy.Note
Auto-merge only fires on
opened/reopened, so any already-open major Dependabot PRs need a reopen to pick this up.🤖 Generated with Claude Code