chore: update auto-merge workflows to include major version bumps

[tablackburn]

This PR updates the auto-merge workflow to allow major version bumps for bot updates.

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configuration for automated dependency management.

[coderabbitai]

Warning

Review limit reached

@tablackburn, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 52 minutes and 17 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cae080d0-912b-4032-a0bc-7c155e254134

📥 Commits

Reviewing files that changed from the base of the PR and between c981b0f and 5c5a013.

📒 Files selected for processing (1)

• .github/workflows/auto-merge-bots.yml

📝 Walkthrough

Walkthrough

The dependabot job in the auto-merge workflow has its step renamed from "Auto-merge minor and patch updates" to "Auto-merge dependency updates", and the conditional logic that excluded semver-major version updates is removed.

Changes

Workflow Auto-merge Update

Layer / File(s)	Summary
Auto-merge step rename and condition removal .github/workflows/auto-merge-bots.yml	Step name changed to Auto-merge dependency updates; the prior condition excluding semver-major updates is removed, allowing all dependency updates to be auto-merged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 A name swap here, a condition gone too,
The bots now merge every version brand new!
No more blocking the majors with semver's strict gate,
Dependabot hops through at any update rate.
Merge away, little rabbit — don't hesitate! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims the change adds major version bumps to auto-merge, but the actual change only renamed a workflow step from 'Auto-merge minor and patch updates' to 'Auto-merge dependency updates' without evidence of functional changes enabling major version merging.	Revise the title to accurately reflect the actual change, such as 'chore: rename auto-merge workflow step name' or provide code changes that demonstrate how major version bumps are actually enabled.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-bot-automerge

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the bot auto-merge GitHub Actions workflow to allow Dependabot PRs with major version bumps to be auto-merged (subject to the repository’s existing merge requirements), by removing the previous semver-major exclusion.

Changes:

• Removes the conditional that prevented auto-merging version-update:semver-major Dependabot PRs.
• Renames the step to reflect broader “dependency updates” auto-merge behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/auto-merge-bots.yml (2)

15-18: ⚡ Quick win

Remove unused metadata fetch step.

Line 15-18 (dependabot/fetch-metadata@v3) is now dead code because id: meta outputs are no longer referenced after removing the semver filter. Keeping it adds unnecessary external action execution and token exposure surface.

Proposed diff

-      - uses: dependabot/fetch-metadata@v3
-        id: meta
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-
       - name: Auto-merge dependency updates
         run: gh pr merge --auto --squash --delete-branch "$PR_URL"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-merge-bots.yml around lines 15 - 18, Remove the
unused dependabot/fetch-metadata@v3 step (lines 15-18) from the workflow file.
Since the outputs from the meta step are no longer referenced anywhere in the
workflow after the semver filter was removed, this entire step is dead code and
should be deleted to reduce unnecessary external action execution and token
exposure.

---

20-24: Add conditions to check update severity before auto-merging Dependabot PRs.

The auto-merge workflow (lines 20-24) currently auto-merges all Dependabot updates without checking update type or severity. While Dependabot is currently configured only for github-actions ecosystem updates, the workflow should conditionally block semver-major version bumps to avoid unexpected breaking changes. Consider using the metadata from dependabot/fetch-metadata step to conditionally merge only minor and patch updates:

Example approach

- name: Auto-merge dependency updates
  if: steps.meta.outputs.update-type != 'version-update:semver-major'
  run: gh pr merge --auto --squash --delete-branch "$PR_URL"
  env:
    PR_URL: ${{ github.event.pull_request.html_url }}
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Additionally, verify that branch protection rules on the default branch (e.g., required status checks, required reviews) are configured as a defense-in-depth measure.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-merge-bots.yml around lines 20 - 24, The auto-merge
workflow step "Auto-merge dependency updates" currently merges all Dependabot
PRs without filtering by update severity. Add a conditional check using the
dependabot/fetch-metadata step output to prevent auto-merging of semver-major
version bumps, which may contain breaking changes. Add an if condition to the
auto-merge step that evaluates the update-type from the metadata step, allowing
only non-major version updates to be auto-merged. Additionally, verify that the
repository has configured appropriate branch protection rules such as required
status checks and code reviews as an additional safety measure.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/auto-merge-bots.yml:
- Around line 15-18: Remove the unused dependabot/fetch-metadata@v3 step (lines
15-18) from the workflow file. Since the outputs from the meta step are no
longer referenced anywhere in the workflow after the semver filter was removed,
this entire step is dead code and should be deleted to reduce unnecessary
external action execution and token exposure.
- Around line 20-24: The auto-merge workflow step "Auto-merge dependency
updates" currently merges all Dependabot PRs without filtering by update
severity. Add a conditional check using the dependabot/fetch-metadata step
output to prevent auto-merging of semver-major version bumps, which may contain
breaking changes. Add an if condition to the auto-merge step that evaluates the
update-type from the metadata step, allowing only non-major version updates to
be auto-merged. Additionally, verify that the repository has configured
appropriate branch protection rules such as required status checks and code
reviews as an additional safety measure.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0d52c73f-237c-4252-bc2f-525d4b09ce83

📥 Commits

Reviewing files that changed from the base of the PR and between 0b73a4f and c981b0f.

📒 Files selected for processing (1)

• .github/workflows/auto-merge-bots.yml