Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Dependabot auto merge #17

Open
MSevey opened this issue Nov 15, 2022 · 4 comments
Open

Proposal: Dependabot auto merge #17

MSevey opened this issue Nov 15, 2022 · 4 comments
Assignees
@smuu

Comments

@MSevey
Copy link
Member

MSevey commented Nov 15, 2022
edited
Loading

If a repo has sufficient CI, we should be able to safely auto merge dependabot PRs.

Some helpful references for how other projects have done it:

- https://github.com/SkynetLabs/.github/blob/master/.github/actions/dependabot-approve-and-merge/action.yml
- https://github.com/SkynetLabs/skynet-js/blob/master/.github/.kodiak.toml
@MSevey
Copy link
Member Author

MSevey commented Nov 17, 2022

Looks like there is a nice action here https://github.com/marketplace/actions/dependabot-auto-merge

@MSevey
Copy link
Member Author

MSevey commented Nov 17, 2022
edited
Loading

This should be all that is needed.

# For more information see https://github.com/marketplace/actions/dependabot-auto-merge
name: auto-merge

on:
  pull_request:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          target: minor
          # DEPENDABOT_AUTOMERGE_PAT is a celestiaorg level secret. 
          # It is a PAT for MSevey who should have sufficient permissions to perform the action on all repos.
          github-token: ${{ secrets.DEPENDABOT_AUTOMERGE_PAT }}
          # the `target` field defines the target version to auto merge. 
          # The default is patch, but it can be updated to include auto merging minor releases as well 
          # target: minor

@MSevey
Copy link
Member Author

MSevey commented Nov 17, 2022

Here is another alternative

https://github.com/fastify/github-action-merge-dependabot

@MSevey
Copy link
Member Author

MSevey commented May 30, 2023

another option in practice that I've been using.

workflow file

  # Auto-merge Dependabot PRs. Requires also `.github/.kodiak.toml`.
  dependabot:
    needs: deploy
    name: "Approve and Merge Dependabot PRs"
    # - Must be a PR.
    # - The latest actor must be Dependabot. This prevents other users from
    #   sneaking in changes into the PR.
    if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }}
    runs-on: ubuntu-latest
    permissions: write-all
    steps:
      - uses: actions/checkout@v3
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/[email protected]
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Approve PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Enable auto-merge for Dependabot PRs
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.kodiak.toml

# Auto-merge Dependabot PRs. 

version = 1

[approve]
# note: remove the "[bot]" suffix from GitHub Bot usernames.
# Instead of "dependabot[bot]" use "dependabot".
auto_approve_usernames = ["dependabot"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smuu smuu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MSevey @smuu