Skip to content
Latchkey

Add dependency bot PR to the Merge Queue workflow (DataDog/datadog-agent)

The Add dependency bot PR to the Merge Queue workflow from DataDog/datadog-agent, explained and optimized by Latchkey.

A

CI health: A - excellent

Point runs-on at Latchkey and get job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: DataDog/datadog-agent.github/workflows/add-dependabot-pr-to-mq.ymlLicense Apache-2.0View source

What it does

This is the Add dependency bot PR to the Merge Queue workflow from the DataDog/datadog-agent repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
---
name: Add dependency bot PR to the Merge Queue
on:
  pull_request_review:
    types:
      - submitted
      - edited

permissions: {}
jobs:
  add_to_merge_queue:
    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]'
    runs-on: ubuntu-latest
    environment:
      name: dependabot
    permissions:
      id-token: write # This is required for getting the required OIDC token from GitHub

    steps:
      - uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
        id: octo-sts
        with:
          scope: DataDog/datadog-agent
          policy: self.add-dependabot-pr-to-mq.comment-pr
      - name: Check if the PR is mergeable
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
        id: check-mergeable
        with:
          github-token: ${{ steps.octo-sts.outputs.token }}
          script: |
            const pullRequestNumber = context.payload.pull_request.number;

            // Use GraphQL to get reviewDecision which respects branch protection rules
            const query = `query($owner: String!, $repo: String!, $number: Int!) {
              repository(owner: $owner, name: $repo) {
                pullRequest(number: $number) {
                  reviewDecision
                }
              }
            }`;
            const result = await github.graphql(query, {
              owner: context.repo.owner,
              repo: context.repo.repo,
              number: pullRequestNumber
            });
            const reviewDecision = result.repository.pullRequest.reviewDecision;
            core.info(`Review decision: ${reviewDecision}`);

            // reviewDecision is APPROVED only when all required reviewers have approved
            return `${reviewDecision === 'APPROVED'}`;
          result-encoding: string
      - name: Add Merge Comment to Pull Request
        if: ${{ steps.check-mergeable.outputs.result == 'true' }}
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
        with:
          github-token: ${{ steps.octo-sts.outputs.token }}
          script: |
            const pullRequestNumber = context.payload.pull_request.number;
            const commentBody = "/merge";

            // Add a comment to the pull request
            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: pullRequestNumber,
              body: commentBody
            });

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

---
name: Add dependency bot PR to the Merge Queue
on:
  pull_request_review:
    types:
      - submitted
      - edited
 
permissions: {}
jobs:
  add_to_merge_queue:
    timeout-minutes: 30
    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'renovate[bot]'
    runs-on: latchkey-small
    environment:
      name: dependabot
    permissions:
      id-token: write # This is required for getting the required OIDC token from GitHub
 
    steps:
      - uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4
        id: octo-sts
        with:
          scope: DataDog/datadog-agent
          policy: self.add-dependabot-pr-to-mq.comment-pr
      - name: Check if the PR is mergeable
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
        id: check-mergeable
        with:
          github-token: ${{ steps.octo-sts.outputs.token }}
          script: |
            const pullRequestNumber = context.payload.pull_request.number;
 
            // Use GraphQL to get reviewDecision which respects branch protection rules
            const query = `query($owner: String!, $repo: String!, $number: Int!) {
              repository(owner: $owner, name: $repo) {
                pullRequest(number: $number) {
                  reviewDecision
                }
              }
            }`;
            const result = await github.graphql(query, {
              owner: context.repo.owner,
              repo: context.repo.repo,
              number: pullRequestNumber
            });
            const reviewDecision = result.repository.pullRequest.reviewDecision;
            core.info(`Review decision: ${reviewDecision}`);
 
            // reviewDecision is APPROVED only when all required reviewers have approved
            return `${reviewDecision === 'APPROVED'}`;
          result-encoding: string
      - name: Add Merge Comment to Pull Request
        if: ${{ steps.check-mergeable.outputs.result == 'true' }}
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
        with:
          github-token: ${{ steps.octo-sts.outputs.token }}
          script: |
            const pullRequestNumber = context.payload.pull_request.number;
            const commentBody = "/merge";
 
            // Add a comment to the pull request
            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: pullRequestNumber,
              body: commentBody
            });
 

What changed

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow