Add dependency bot PR to the Merge Queue workflow (DataDog/datadog-agent)
The Add dependency bot PR to the Merge Queue workflow from DataDog/datadog-agent, explained and optimized by Latchkey.
CI health: A - excellent
Point runs-on at Latchkey and get job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Add dependency bot PR to the Merge Queue workflow from the DataDog/datadog-agent repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
---
name: Add dependency bot PR to the Merge Queue
on:
pull_request_review:
types:
- submitted
- edited
permissions: {}
jobs:
add_to_merge_queue:
if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]'
runs-on: ubuntu-latest
environment:
name: dependabot
permissions:
id-token: write # This is required for getting the required OIDC token from GitHub
steps:
- uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
id: octo-sts
with:
scope: DataDog/datadog-agent
policy: self.add-dependabot-pr-to-mq.comment-pr
- name: Check if the PR is mergeable
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
id: check-mergeable
with:
github-token: ${{ steps.octo-sts.outputs.token }}
script: |
const pullRequestNumber = context.payload.pull_request.number;
// Use GraphQL to get reviewDecision which respects branch protection rules
const query = `query($owner: String!, $repo: String!, $number: Int!) {
repository(owner: $owner, name: $repo) {
pullRequest(number: $number) {
reviewDecision
}
}
}`;
const result = await github.graphql(query, {
owner: context.repo.owner,
repo: context.repo.repo,
number: pullRequestNumber
});
const reviewDecision = result.repository.pullRequest.reviewDecision;
core.info(`Review decision: ${reviewDecision}`);
// reviewDecision is APPROVED only when all required reviewers have approved
return `${reviewDecision === 'APPROVED'}`;
result-encoding: string
- name: Add Merge Comment to Pull Request
if: ${{ steps.check-mergeable.outputs.result == 'true' }}
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
with:
github-token: ${{ steps.octo-sts.outputs.token }}
script: |
const pullRequestNumber = context.payload.pull_request.number;
const commentBody = "/merge";
// Add a comment to the pull request
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pullRequestNumber,
body: commentBody
});
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
--- name: Add dependency bot PR to the Merge Queue on: pull_request_review: types: - submitted - edited permissions: {} jobs: add_to_merge_queue: timeout-minutes: 30 if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]' runs-on: latchkey-small environment: name: dependabot permissions: id-token: write # This is required for getting the required OIDC token from GitHub steps: - uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 id: octo-sts with: scope: DataDog/datadog-agent policy: self.add-dependabot-pr-to-mq.comment-pr - name: Check if the PR is mergeable uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 id: check-mergeable with: github-token: ${{ steps.octo-sts.outputs.token }} script: | const pullRequestNumber = context.payload.pull_request.number; // Use GraphQL to get reviewDecision which respects branch protection rules const query = `query($owner: String!, $repo: String!, $number: Int!) { repository(owner: $owner, name: $repo) { pullRequest(number: $number) { reviewDecision } } }`; const result = await github.graphql(query, { owner: context.repo.owner, repo: context.repo.repo, number: pullRequestNumber }); const reviewDecision = result.repository.pullRequest.reviewDecision; core.info(`Review decision: ${reviewDecision}`); // reviewDecision is APPROVED only when all required reviewers have approved return `${reviewDecision === 'APPROVED'}`; result-encoding: string - name: Add Merge Comment to Pull Request if: ${{ steps.check-mergeable.outputs.result == 'true' }} uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: github-token: ${{ steps.octo-sts.outputs.token }} script: | const pullRequestNumber = context.payload.pull_request.number; const commentBody = "/merge"; // Add a comment to the pull request await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: pullRequestNumber, body: commentBody });
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.