ROSA-745: per-repo dependency automation config

[MitaliBhalla]

Summary

ROSA-745 — per-repo dependency automation for backplane-tools (not on boilerplate).

Follows the backplane-cli pilot: Dependabot gomod (grouped) + GHA auto-merge for patch/minor/digest after required prow checks pass.

Draft — merge after openshift/release#80263 is live and branch-protector has cycled (~6h).

Depends on

• openshift/release#80263 — required ci/prow/* on default branch

Test plan

• Dependabot opens grouped gomod PR after merge
• Patch/minor/digest auto-merge when required prow is green
• Major updates stay manual

Summary by CodeRabbit

• Chores
  • Added automated weekly Go module dependency update checks, with consistent PR labeling and grouped update rules for common ecosystems.
  • Introduced an auto-merge workflow that safely enables auto-merge for lower-risk update types and otherwise falls back to manual review with clear PR messaging.
  • For major version updates, the workflow now posts guidance to require manual review and indicates auto-merge is not enabled.

[openshift-ci-robot]

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

ROSA-745 phase 2 — per-repo dependency automation (not on boilerplate).

Draft — for team review before merge. Depends on DPP branch protection (openshift/release#80263) for required checks.

Test plan

• Confirm Dependabot/MintMaker opens PRs after merge
• Patch/minor updates merge when required prow/Konflux checks pass
• Major updates stay manual

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds Dependabot Go module update settings and a Dependabot-only workflow that enables squash auto-merge for safe updates, comments on major updates, and logs the decision.

Changes

Dependabot Update Automation

Layer / File(s)	Summary
Dependabot config .github/dependabot.yml	Dependabot checks gomod updates weekly in /, applies area/dependency and ok-to-test labels, limits open PRs to 10, and groups AWS SDK, Kubernetes, and OpenShift updates.
Workflow gate and metadata .github/workflows/dependabot-auto-merge.yml	The workflow runs on Dependabot PR events with write permissions, is limited to Dependabot PRs from the same repository, and fetches update metadata for later conditions.
Safe update auto-merge .github/workflows/dependabot-auto-merge.yml	Safe patch and minor updates fetch the PR node ID, attempt squash auto-merge through GitHub APIs, and post failure comments when that path does not succeed.
Major update comment and logging .github/workflows/dependabot-auto-merge.yml	Major updates get a manual-review comment, and the workflow always logs the final decision summary for safe, major, and unknown update types.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the new per-repo dependency automation configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only adds .github YAML; no test files or Ginkgo titles were introduced, so there are no unstable test names to flag.
Test Structure And Quality	✅ Passed	No Go test files or Ginkgo specs are added or modified in this PR, so the test-structure checklist is not applicable.
Microshift Test Compatibility	✅ Passed	Diff only adds Dependabot config and a workflow; no new Ginkgo e2e tests or MicroShift-sensitive APIs/features were introduced.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added; the PR only changes config/workflow and non-test code.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR only adds Dependabot config and a GitHub Actions workflow; no deployment manifests, controllers, or scheduling constraints were introduced.
Ote Binary Stdout Contract	✅ Passed	PASS: The PR only adds Dependabot/workflow config; no OTE/Ginkgo TestMain/BeforeSuite setup or stdout-to-stdout contract issue is introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Only .github/dependabot.yml and a workflow changed; no Ginkgo e2e tests or network-assumption test code was added.
No-Weak-Crypto	✅ Passed	The added Dependabot files contain no weak ciphers/hashes or custom crypto, and no secret/token comparisons; the only SHA is an action pin.
Container-Privileges	✅ Passed	PR only changes .github Dependabot/workflow YAMLs; no container/K8s manifests or privileged settings (privileged, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation) found.
No-Sensitive-Data-In-Logs	✅ Passed	The new workflow logs only update types, dependency names, PR number, and status messages; no passwords, tokens, PII, or internal data are echoed.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign dustman9000 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (1)

.github/workflows/dependabot-auto-merge.yml (1)

44-47: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Move metadata outputs through env vars before shell use.

Direct ${{ ... }} expansion inside run scripts and JSON payloads is brittle and can become shell/JSON injection if the metadata shape expands later.

Also applies to: 89-89, 106-106, 111-118

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml around lines 44 - 47, The
workflow is using direct metadata interpolation inside shell and JSON payloads,
which is brittle and may become injection-prone as the metadata expands. Update
the affected steps in the dependabot-auto-merge workflow so the metadata from
the metadata step is first mapped into env vars, then referenced from those env
vars in the shell script and JSON construction. Apply this consistently where
the current `${{ steps.metadata.outputs... }}` values are used, including the
auto-merge logging and payload-building sections.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 108-124: The final auto-merge decision log in the “Log Auto-Merge
Decision” step should reflect the actual enable result, not just the update type
and label checks. Update the logic around the decision path that follows the
GraphQL mutation so it logs ENABLED only when the auto-merge action truly
succeeded; if the mutation fails and the workflow falls back to manual review,
the log should show DISABLED or manual-review instead. Use the existing step
outputs and result state in the workflow to base the message on the real
outcome.
- Around line 92-106: The “Comment on Major Version Updates” step can post the
same major-update message multiple times because the workflow runs on several PR
events, including rebases. Update the logic in the major-update comment step to
detect whether the PR already has this specific comment before calling the
GitHub comments API, and skip posting if it exists. Use the existing “Comment on
Major Version Updates” step and the `${{ github.event.pull_request.number
}}`/`steps.metadata.outputs.*` context to keep the check scoped to the current
PR.
- Around line 75-77: The success check in the GraphQL auto-merge step only looks
at the HTTP status, so it can falsely report success when GitHub returns HTTP
200 with a GraphQL errors array. Update the response handling in the dependabot
auto-merge workflow step to inspect the parsed GraphQL payload after the
request, and only print the success message when there are no errors and the
expected data indicates auto-merge was enabled. Use the existing
response-handling block around the GraphQL request and the cat
/tmp/response.json output to verify and surface any GraphQL errors instead of
treating 200 as success.
- Around line 19-24: The Dependabot auto-merge job includes an unnecessary
Checkout code step and uses a mutable action tag for Fetch Dependabot Metadata.
Remove the actions/checkout usage from this job entirely, and update the
dependabot/fetch-metadata reference in the workflow to a full commit SHA so the
action is pinned. Keep the change localized to the dependabot-auto-merge
workflow and preserve the existing metadata step behavior.
- Around line 7-11: The dependabot auto-merge workflow is requesting extra
GITHUB_TOKEN scopes that it does not use. Update the permissions block in the
dependabot-auto-merge workflow to keep only the scopes needed for the merge
flow, and remove the unused checks and actions permissions from the workflow’s
permission configuration.
- Around line 16-17: The Dependabot-only workflow gate is using the trigger
actor instead of the pull request author, so update the condition in the
dependabot auto-merge workflow to check the PR author via
github.event.pull_request.user.login. Also add a fork guard using
github.event.pull_request.head.repo.full_name == github.repository so only PRs
originating from the same repository are allowed; adjust the existing if
expression on the workflow job/step that currently references github.actor and
github.repository.

---

Nitpick comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 44-47: The workflow is using direct metadata interpolation inside
shell and JSON payloads, which is brittle and may become injection-prone as the
metadata expands. Update the affected steps in the dependabot-auto-merge
workflow so the metadata from the metadata step is first mapped into env vars,
then referenced from those env vars in the shell script and JSON construction.
Apply this consistently where the current `${{ steps.metadata.outputs... }}`
values are used, including the auto-merge logging and payload-building sections.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 40ece3d7-f6b6-44dd-8f07-3085b9506e78

📥 Commits

Reviewing files that changed from the base of the PR and between 0bd5afc and 778ed0b.

📒 Files selected for processing (2)

• .github/dependabot.yml
• .github/workflows/dependabot-auto-merge.yml

✅ Files skipped from review due to trivial changes (1)

• .github/dependabot.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 70-84: The PR comment posting in the dependabot auto-merge
workflow ignores whether the GitHub API actually succeeded. Update both
comment-posting blocks around the jq/curl pipeline to capture the HTTP status
from the curl request, and use that status to warn or fail when it is not 201.
Keep the fix localized to the comment creation step so the workflow only reports
success when the POST really created the issue comment.
- Around line 25-27: The auto-merge workflow condition in dependabot-auto-merge
should only handle the update types that dependabot/fetch-metadata actually
emits. Remove the unreachable semver-digest branch from the update-type check
and also delete the matching semver-digest case arm in the workflow logic so the
condition and branching stay aligned with the supported semver-major/minor/patch
values.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b5412777-b28f-427c-99a5-df827547167b

📥 Commits

Reviewing files that changed from the base of the PR and between 778ed0b and 982290a.

📒 Files selected for processing (2)

• .github/dependabot.yml
• .github/workflows/dependabot-auto-merge.yml

✅ Files skipped from review due to trivial changes (1)

• .github/dependabot.yml

[MitaliBhalla]

Addressed CodeRabbit review in latest push:

• Workflow: use github.event.pull_request.user.login + fork guard; drop unused token scopes; remove checkout; pin dependabot/fetch-metadata to SHA; validate GraphQL response; major-comment only on opened; metadata via env vars; log reflects actual automerge result
• osdctl only: removed unreachable aws-sdk/kubernetes groups — allow list intentionally limits updates to the two OpenShift deps

Thanks @coderabbitai

[MitaliBhalla]

Correction: the allow-list/groups note applies to osdctl only — this PR only includes the shared workflow hardening.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@MitaliBhalla Thanks for the thorough update — those workflow hardening changes and the dependabot grouping cleanup sound good to me.

Appreciate you addressing the review comments.

---

✏️ Learnings added

Learnt from: MitaliBhalla
URL: https://github.com/openshift/backplane-tools/pull/93

Timestamp: 2026-06-29T06:45:09.749Z
Learning: In `openshift/backplane-tools`, the `.github/dependabot.yml` configuration is intentionally scoped for the osdctl-only repository context: the `allow` list limits gomod updates to two OpenShift dependencies, so broader groups like `aws-sdk` and `kubernetes` are unreachable and should not be configured.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/dependabot-auto-merge.yml (1)

12-13: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Bound this automation job with a timeout.

The workflow performs only metadata/API operations; without timeout-minutes, a stuck action or curl call can hold the job until the platform default timeout.

Suggested change

   auto-merge:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     if: |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml around lines 12 - 13, The
dependabot auto-merge workflow job lacks an explicit timeout, so a stalled step
can run until the platform default limit. Add a timeout limit directly on the
auto-merge job in dependabot-auto-merge.yml, keeping the change scoped to the
auto-merge job definition so the metadata/API workflow cannot hang indefinitely.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 12-13: The dependabot auto-merge workflow job lacks an explicit
timeout, so a stalled step can run until the platform default limit. Add a
timeout limit directly on the auto-merge job in dependabot-auto-merge.yml,
keeping the change scoped to the auto-merge job definition so the metadata/API
workflow cannot hang indefinitely.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c3ad7b1f-8308-470e-9ae6-d0928dd48327

📥 Commits

Reviewing files that changed from the base of the PR and between c83bd8a and 27a73f2.

📒 Files selected for processing (2)

• .github/dependabot.yml
• .github/workflows/dependabot-auto-merge.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/dependabot.yml

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (289db43) to head (27a73f2).

Additional details and impacted files

@@          Coverage Diff          @@
##            main     #93   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files         34      34           
  Lines       1594    1594           
=====================================
  Misses      1594    1594           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.