Skip to content

Add configurable classification labels to dependency review workflow #624

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
strawgate merged 9 commits into from
Mar 9, 2026
+149 −38
Merged

Add configurable classification labels to dependency review workflow #624

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
1a13545
Initial plan
Copilot Mar 9, 2026
fe8cf48
Add oblt-aw/ai/merge-ready as safe output label in dependency review …
Copilot Mar 9, 2026
a9edd8a
Refactor: add merge-ready-label input with pre-sanitize step instead …
Copilot Mar 9, 2026
b921b78
Refactor: replace merge-ready-label with classification-labels - remo…
Copilot Mar 9, 2026
95b1f1c
Merge branch 'main' into copilot/add-safe-output-label
strawgate Mar 9, 2026
ce83bd8
Fix dirty lock and trigger files by recompiling workflows
Copilot Mar 9, 2026
0894e8d
Fix empty classification-labels to deny-all instead of skip
Copilot Mar 9, 2026
4cde7a2
Merge branch 'main' into copilot/add-safe-output-label
strawgate Mar 9, 2026
b48635b
Update workflows
strawgate Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions .github/workflows/gh-aw-dependency-review.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion .github/workflows/gh-aw-dependency-review.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ safe-outputs:
allowed:
- "needs-human-review"
- "higher-risk"
- "oblt-aw/ai/merge-ready"
strict: false
timeout-minutes: 60
steps:
Expand Down Expand Up @@ -236,7 +237,10 @@ Based on the analysis, determine if labels should be applied:
- **`higher-risk`**: Apply when:
- The updated dependency is used only in workflows triggered by push-to-main, release, schedule, or workflow_dispatch (cannot be validated in PR context)

Only apply `needs-human-review` and `higher-risk` labels.
- **`oblt-aw/ai/merge-ready`**: Apply when:

@github-actions github-actions Bot Mar 9, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oblt-aw/ai/merge-ready is defined as "safe to merge without human review," but the workflow only adds labels and never removes existing ones. On reruns, a PR can retain a prior needs-human-review/higher-risk label and also receive oblt-aw/ai/merge-ready, which creates contradictory automation signals.

Please make oblt-aw/ai/merge-ready explicitly mutually exclusive (e.g., only apply it when neither risk label is present, or remove stale risk labels before adding it).

- No issues were found and the dependency update is safe to merge without human review

Only apply `needs-human-review`, `higher-risk`, and `oblt-aw/ai/merge-ready` labels.

### Step 5: Post Analysis Comment

Expand Down
4 changes: 2 additions & 2 deletions gh-agent-workflows/dependency-review/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Analyze Dependabot, Renovate, and Updatecli dependency update PRs.

## How it works

Triggered when Dependabot, Renovate, or Updatecli opens or updates a PR. Classifies each dependency by ecosystem (GitHub Actions, Go, npm, Python, Java, Buildkite, etc.), runs shared checks (changelog, usage analysis, compatibility, testability), and applies ecosystem-specific checks where relevant. Posts a structured analysis comment and optionally labels the PR `needs-human-review` or `higher-risk`.
Triggered when Dependabot, Renovate, or Updatecli opens or updates a PR. Classifies each dependency by ecosystem (GitHub Actions, Go, npm, Python, Java, Buildkite, etc.), runs shared checks (changelog, usage analysis, compatibility, testability), and applies ecosystem-specific checks where relevant. Posts a structured analysis comment and optionally labels the PR `needs-human-review`, `higher-risk`, or `oblt-aw/ai/merge-ready`.

## Quick Install

Expand Down Expand Up @@ -33,7 +33,7 @@ See [example.yml](example.yml) for the full workflow file.
## Safe Outputs

- `add-comment` — post an analysis comment on the PR (max 1)
- `add-labels` — label the PR when human review or higher risk is detected (max 3)
- `add-labels` — label the PR with `needs-human-review`, `higher-risk`, or `oblt-aw/ai/merge-ready` (max 3)

## Manual usage with mention-in-pr

Expand Down
Loading