ROSA-745: per-repo dependency automation config

[MitaliBhalla]

Summary

ROSA-745 — align osdctl Dependabot with the backplane-cli pilot path.

Keeps the existing allow-list (osd-network-verifier, backplane-cli); adds area/dependency, weekly schedule, gomod groups, and GHA auto-merge for safe updates.

Draft — merge after openshift/release#80263 is live (~6h branch-protector cycle).

Depends on

• openshift/release#80263 — ci/prow/build, format, lint, test, verify-docs

Test plan

• Dependabot still only bumps allow-listed deps
• Patch/minor auto-merge when prow is green
• Major updates stay manual

Summary by CodeRabbit

• New Features
  • Dependabot pull requests now attempt automatic merge for safe (patch/minor) updates, with clear feedback if auto-merge can’t be enabled.
  • Major updates now post guidance that auto-merge is disabled and manual review is required.
• Chores
  • Updated Dependabot scheduling for Go module updates to run weekly, increased the open PR limit, and added a dependency-focused label for easier tracking.

[openshift-ci-robot]

@MitaliBhalla: This pull request references ROSA-745 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the initiative to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

ROSA-745 phase 2 — per-repo dependency automation (not on boilerplate).

Draft — for team review before merge. Depends on DPP branch protection (openshift/release#80263) for required checks.

Test plan

• Confirm Dependabot/MintMaker opens PRs after merge
• Patch/minor updates merge when required prow/Konflux checks pass
• Major updates stay manual

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Dependabot settings for Go modules were updated, and a new workflow was added to auto-merge eligible Dependabot pull requests, comment on major updates, and log the final decision.

Changes

Dependabot automation

Layer / File(s)	Summary
Schedule and trigger .github/dependabot.yml, .github/workflows/dependabot-auto-merge.yml	The Go module Dependabot entry now runs weekly with an added label and open PR limit, and the workflow is triggered for selected pull request events with Dependabot-only execution and write permissions.
Safe update auto-merge .github/workflows/dependabot-auto-merge.yml	The workflow fetches Dependabot metadata, enables squash auto-merge for semver patch and minor updates, records the outcome, and comments when auto-merge cannot be enabled.
Major update comment and logging .github/workflows/dependabot-auto-merge.yml	The workflow comments on semver-major updates when opened and always logs the final auto-merge decision.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and accurately reflects the PR’s per-repo dependency automation changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only changes .github/dependabot.yml and a GitHub Actions workflow; neither contains Ginkgo test titles or test code.
Test Structure And Quality	✅ Passed	PR only changes .github config/workflow files; no Ginkgo tests or test code were modified.
Microshift Test Compatibility	✅ Passed	Only Dependabot YAML and a GitHub Actions workflow changed; no Ginkgo e2e tests or MicroShift-sensitive APIs were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo tests with cluster/topology assumptions were added; changed tests are unit-style and no SNO-specific skips were needed.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only changes Dependabot config and a GitHub Actions workflow; no deployment manifests, controllers, or scheduling constraints were added.
Ote Binary Stdout Contract	✅ Passed	PR only changes .github Dependabot/workflow config; no OTE binary process code or suite setup/hooks with stdout writes were modified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Only .github Dependabot config/workflow files changed; no new Ginkgo e2e tests or network-sensitive test code was added.
No-Weak-Crypto	✅ Passed	The PR only adds Dependabot config/workflow logic; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret-comparison code appears in the changed files.
Container-Privileges	✅ Passed	PASS: The PR only changes Dependabot/workflow YAML; no container/K8s manifests or privileged settings (privileged, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation) are present.
No-Sensitive-Data-In-Logs	✅ Passed	Workflow logs only Dependabot metadata and GitHub API responses/comments; no code path echoes passwords, tokens, PII, hostnames, or customer data.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 8-24: The dependabot config's allow list currently limits updates
to only the two OpenShift packages, making the "aws-sdk" and "kubernetes" groups
unreachable; fix by either removing the top-level allow block (so groups
aws-sdk, kubernetes, openshift are evaluated), or if you want to keep allow,
remove the unused "aws-sdk" and "kubernetes" group entries, or expand the allow
list to include the specific AWS and Kubernetes dependencies you want Dependabot
to update (update the "allow" entries or adjust "groups" patterns accordingly).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 65a235ff-960e-4fe1-b170-47c04dfde7bf

📥 Commits

Reviewing files that changed from the base of the PR and between 0f7bc39 and e675d6a.

📒 Files selected for processing (1)

• .github/dependabot.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

The allow list conflicts with the groups configuration—aws-sdk and kubernetes groups are unreachable.

Dependabot's allow field restricts updates to only the listed dependencies. Currently, only two OpenShift packages are allowed:

• github.com/openshift/osd-network-verifier
• github.com/openshift/backplane-cli

This means:

• The aws-sdk group (line 15-17) will never trigger updates because no AWS SDK dependencies are in the allow list.
• The kubernetes group (line 18-21) will never trigger updates because no k8s.io or sigs.k8s.io dependencies are in the allow list.
• Only the openshift group could match the two allowed dependencies.

Action required: Either:

1. Remove the allow block entirely to enable updates for all dependencies (recommended if you want AWS SDK and Kubernetes updates), OR
2. Remove the unused aws-sdk and kubernetes groups if they're not needed, OR
3. Expand the allow list to include specific AWS and Kubernetes dependencies that should be updated.

♻️ Option 1: Remove allow block to enable all dependency updates

     labels:
       - "area/dependency"
       - "ok-to-test"
-    allow:
-      - dependency-name: "github.com/openshift/osd-network-verifier"
-      - dependency-name: "github.com/openshift/backplane-cli"
     schedule:
       interval: 'weekly'

♻️ Option 2: Remove unused groups

     open-pull-requests-limit: 10
     groups:
-      aws-sdk:
-        patterns:
-          - "github.com/aws/aws-sdk-go-v2*"
-      kubernetes:
-        patterns:
-          - "k8s.io/*"
-          - "sigs.k8s.io/*"
       openshift:
         patterns:
           - "github.com/openshift/*"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	allow:
	- dependency-name: "github.com/openshift/osd-network-verifier"
	- dependency-name: "github.com/openshift/backplane-cli"
	schedule:
	interval: 'daily'
	interval: 'weekly'
	open-pull-requests-limit: 10
	groups:
	aws-sdk:
	patterns:
	- "github.com/aws/aws-sdk-go-v2*"
	kubernetes:
	patterns:
	- "k8s.io/*"
	- "sigs.k8s.io/*"
	openshift:
	patterns:
	- "github.com/openshift/*"
	schedule:
	interval: 'weekly'
	open-pull-requests-limit: 10
	groups:
	aws-sdk:
	patterns:
	- "github.com/aws/aws-sdk-go-v2*"
	kubernetes:
	patterns:
	- "k8s.io/*"
	- "sigs.k8s.io/*"
	openshift:
	patterns:
	- "github.com/openshift/*"

Suggested change

	allow:
	- dependency-name: "github.com/openshift/osd-network-verifier"
	- dependency-name: "github.com/openshift/backplane-cli"
	schedule:
	interval: 'daily'
	interval: 'weekly'
	open-pull-requests-limit: 10
	groups:
	aws-sdk:
	patterns:
	- "github.com/aws/aws-sdk-go-v2*"
	kubernetes:
	patterns:
	- "k8s.io/*"
	- "sigs.k8s.io/*"
	openshift:
	patterns:
	- "github.com/openshift/*"
	allow:
	- dependency-name: "github.com/openshift/osd-network-verifier"
	- dependency-name: "github.com/openshift/backplane-cli"
	schedule:
	interval: 'weekly'
	open-pull-requests-limit: 10
	groups:
	openshift:
	patterns:
	- "github.com/openshift/*"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 8 - 24, The dependabot config's allow
list currently limits updates to only the two OpenShift packages, making the
"aws-sdk" and "kubernetes" groups unreachable; fix by either removing the
top-level allow block (so groups aws-sdk, kubernetes, openshift are evaluated),
or if you want to keep allow, remove the unused "aws-sdk" and "kubernetes" group
entries, or expand the allow list to include the specific AWS and Kubernetes
dependencies you want Dependabot to update (update the "allow" entries or adjust
"groups" patterns accordingly).

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MitaliBhalla
Once this PR has been reviewed and has the lgtm label, please assign dustman9000 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/dependabot-auto-merge.yml (1)

7-12: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Trim the unused token scopes.

checks: read and actions: read are not used by any visible step. If dependabot/fetch-metadata does not require them, drop these scopes to keep the workflow least-privileged.

🔐 Proposed permission tightening

 permissions:
   contents: write
   pull-requests: write
-  checks: read
-  actions: read

As per path instructions, "Least privilege: minimize GITHUB_TOKEN permissions."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-auto-merge.yml around lines 7 - 12, The
workflow permissions in dependabot-auto-merge are over-scoped; remove the unused
checks: read and actions: read token permissions from the top-level permissions
block. Keep only the scopes actually needed by the visible steps and by
dependabot/fetch-metadata if required, so the workflow stays least-privileged.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 19-24: The workflow step currently checks out the repository
unnecessarily and uses a floating version for dependabot/fetch-metadata. Remove
the actions/checkout step from the dependabot auto-merge job, since the metadata
step only needs GitHub API access and outputs from dependabot/fetch-metadata.
Update the dependabot/fetch-metadata reference to a pinned full SHA in the
metadata step so the workflow uses an immutable action version.
- Around line 68-82: The auto-merge step in the workflow can report success from
`curl` based on HTTP 200 alone, but the GitHub GraphQL API may still return an
`errors` payload. Update the logic around the `response`/`/tmp/response.json`
check to inspect the response body for GraphQL `errors` before printing the
success message, and only treat the `enablePullRequestAutoMerge` mutation as
successful when the body confirms it actually enabled auto-merge.

---

Nitpick comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 7-12: The workflow permissions in dependabot-auto-merge are
over-scoped; remove the unused checks: read and actions: read token permissions
from the top-level permissions block. Keep only the scopes actually needed by
the visible steps and by dependabot/fetch-metadata if required, so the workflow
stays least-privileged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4bf15f12-e29b-4568-b511-b5f44a8416ff

📥 Commits

Reviewing files that changed from the base of the PR and between e675d6a and e00af72.

📒 Files selected for processing (2)

• .github/dependabot.yml
• .github/workflows/dependabot-auto-merge.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/dependabot.yml

[MitaliBhalla]

Addressed CodeRabbit review in latest push:

• Workflow: use github.event.pull_request.user.login + fork guard; drop unused token scopes; remove checkout; pin dependabot/fetch-metadata to SHA; validate GraphQL response; major-comment only on opened; metadata via env vars; log reflects actual automerge result
• osdctl only: removed unreachable aws-sdk/kubernetes groups — allow list intentionally limits updates to the two OpenShift deps

Thanks @coderabbitai

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@MitaliBhalla Thanks for the update — those changes sound good, especially tightening the workflow guards/scopes and removing the unreachable dependency groups for osdctl.

Appreciate the follow-up.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-auto-merge.yml:
- Around line 80-84: The comment-posting steps in the dependabot auto-merge
workflow currently treat a successful curl invocation as a sent notification
even when GitHub returns 4xx/5xx, so the major-update and auto-merge-failure
comments can be skipped silently. Update both comment POST commands in the
workflow to verify the HTTP response status before proceeding, and make them
fail unless the response is the expected success status (or at least a 2xx). Use
the existing comment-posting logic around the GitHub issues comments API call to
ensure the workflow only marks notifications as sent after a confirmed
successful post.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 96401fc9-5009-460b-891b-92bcdf75b82a

📥 Commits

Reviewing files that changed from the base of the PR and between e00af72 and 6d2c9c0.

📒 Files selected for processing (2)

• .github/dependabot.yml
• .github/workflows/dependabot-auto-merge.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/dependabot.yml

[openshift-ci]

@MitaliBhalla: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[joshbranham]

GitHub has an example of doing this here, which looks a bit simpler. Should we follow this? https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automate-dependabot-with-actions#enabling-automerge-on-a-pull-request