From 934481553dfb99adf38a38027311de5bb1fe9e05 Mon Sep 17 00:00:00 2001 From: Aaron Elliot Ross Date: Sat, 20 Jun 2026 09:34:21 +0200 Subject: [PATCH 1/2] Add actionlint CI gate (check: ci) --- .github/workflows/ci.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..0a44b4c --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,20 @@ +name: CI + +# PR gate for ci-workflows. The repo only holds reusable (workflow_call) +# workflows, which can't meaningfully self-run on a PR, so the gate is +# actionlint over the workflow files. The job is named `ci` so it produces a +# status check named "ci" — the exact context the org ruleset requires. + +on: + pull_request: + +permissions: + contents: read + +jobs: + ci: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: actionlint + uses: raven-actions/actionlint@v2 From 4bce9cdb8614d69ecc3b1714e43edd9f9505e705 Mon Sep 17 00:00:00 2001 From: Aaron Elliot Ross Date: Sat, 20 Jun 2026 09:34:49 +0200 Subject: [PATCH 2/2] Add Dependabot auto-merge caller (uses ci-workflows@v13) --- .github/workflows/automerge.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/automerge.yml diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml new file mode 100644 index 0000000..64a623c --- /dev/null +++ b/.github/workflows/automerge.yml @@ -0,0 +1,27 @@ +name: Dependabot auto-merge + +# Per-repo caller. Drop into .github/workflows/ of each consuming repo. +# It runs on every PR but the reusable only acts on Dependabot PRs. +# +# The permissions block here MUST grant contents+pull-requests write: a called +# workflow's effective GITHUB_TOKEN permissions are capped by the caller's. +# GITHUB_TOKEN is passed to the reusable automatically (no `secrets: inherit`). +# +# Pin the reusable to a released tag of ci-workflows. v13 is the first tag that +# contains it. Dependabot's github-actions ecosystem will open PRs bumping this +# ref as new tags are cut — which the auto-merge this enables will then land. + +on: + pull_request: + +permissions: + contents: write + pull-requests: write + +jobs: + auto-merge: + if: github.actor == 'dependabot[bot]' + uses: WeMoveEU/ci-workflows/.github/workflows/dependabot-auto-merge.yml@v13 + # Override defaults if desired, e.g. patch-only for runtime-heavy repos: + # with: + # allowed-update-types: "version-update:semver-patch"