feat: robust dependabot auto-approval with release age check#189
Merged
marcusburghardt merged 2 commits intocomplytime:mainfrom Apr 13, 2026
Merged
Conversation
Replace fragile dependency-usage-based auto-approval gate with robust criteria: non-major version bump, 24h+ release age, no vulnerabilities, and CI passing. Simplify dependency extraction by using dependabot commit metadata as primary source with diff parsing as supplementary enrichment. Key changes: - Remove set -e, nested while loops, and temp file I/O from extraction - Add commit metadata parsing (dependency-name, version, update-type) - Add release age check via ecosystem-specific APIs (GitHub, Go proxy, PyPI) - Update auto-approval condition: risk + review + release_age >= 24h - Keep dependency usage as informational context in PR comments - Fix Go submodule and Python subpath ecosystem detection - Improve usage search timeout handling with 30s timeout and longer backoff - Add structured rationale table to PR comments Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Renumber feature branch and spec directory from 005 to 006. Fix all issues identified by specification analysis: extract 24h threshold to workflow-level env constant (Principle I), add header comment block to ci_dependencies.yml (constitution requirement), fix contradictory multi-dependency handling claims in spec, correct line count summary in plan, clarify release_age_hours phasing in tasks, standardize terminology, add CI dependency chain verification task, and create structured manual test checklist for acceptance scenarios. Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
marcusburghardt
force-pushed
the
006-robust-dependabot-approval
branch
from
430f3b6 to
ee561af
Compare
hbraswelrh
approved these changes
Apr 13, 2026
Member
hbraswelrh
left a comment
hbraswelrh
left a comment
There was a problem hiding this comment.
LGTM. Manual + Agent Assisted Review. Great work!
Results from Local Review with Agent:
Runtime changes are minimal and focused — only 2 workflow
files actually change behavior
- Safer approval criteria — the old UPDATES_COUNT > 10 gate was
gameable and noisy; the new multi-criteria check (non-major +
24h age + clean review) is more meaningful - Extraction simplification is a clear win — replaces fragile
diff parsing with dependabot's own commit metadata, which is
the canonical source - Safe defaults — unknown release age (-1) blocks auto-approval
rather than allowing it - Bulk of the +1041 lines is spec documentation — no runtime
impact
The only nit I'd note is date -d is GNU-only (won't work on
macOS), but since this exclusively runs on GitHub runners
(Ubuntu), that's a non-issue.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace the fragile dependency-usage-based auto-approval gate with robust criteria: non-major version bump, 24h+ release age, no vulnerabilities, and CI passing. Simplify the dependency information extraction by using dependabot commit metadata as the primary source with diff parsing as supplementary enrichment. Keep dependency usage as informational context in PR comments.
Key changes:
UPDATES_COUNT > 10approval gate withrelease_age_hours >= MIN_RELEASE_AGE_HOURS && risk != high && review == successenv: MIN_RELEASE_AGE_HOURSconstantci_dependencies.ymlset -e, nested while loops, and temp file I/O from extraction stepRelated Issues
Review Hints
The two workflow files to focus on are
.github/workflows/reusable_dependabot_reviewer.yml(extraction, risk classification, release age) and.github/workflows/ci_dependencies.yml(approval criteria, PR comment).Review the commits in sequence: the first commit (
feat:) contains all workflow changes; the second commit (fix:) contains the spec renumbering (005→006), specification analysis fixes, and documentation alignment.The
specs/006-robust-dependabot-approval/directory contains the full specification artifacts (spec, plan, tasks, research, data model, quickstart, manual test checklist). These are documentation-only and do not affect runtime behavior.Run
make lintto verify YAML linting passes. Runmake sync-dry-runto confirmci_dependencies.ymlis in the sync list.The
MIN_RELEASE_AGE_HOURSconstant (currently24) is defined once at workflow level and referenced in both the approval condition and the PR comment auto-approval display.