I’ve recently been using a combination of GitHub apps to automate the approval and merging of Dependabot pull requests, but wanted to simplify this into a GitHub workflow, using branch protection and GitHub’s auto merge feature.
The GitHub workflow looks something like:
name: Dependabot
on: pull_request
permissions:
contents: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.MY_PA_TOKEN}}
steps:
- name: approve
run: gh pr review --approve "$PR_URL"
- name: merge
run: gh pr merge --auto --squash --delete-branch "$PR_URL"
❗ Warning : I wouldn’t implement this without branch protection and required status checks.
And it works! 🎉
The pull request now looks like the following:
Automating DependaBot pull request approval and merging
Once I had this implemented and pushed to all the repositories, I just need to tell Dependabot to rebase all pull requests.
It would be fairly easy to add a check for labels on the pull request, and only gh approve if the label was present, but I really didn’t have a use case for this right now because I feel confident in the required status checks.
Top comments (2)
Work great indeed!
However, try to add the following step:
And then add an "if" check during the auto-merge step for additional checks. For EXAMPLE... check some additional things like:
Just to give you another example. You might want to check on semver-minor as well. Or check on package-ecosystem or target-branch. This is an update of
toxpython package via Pip. See the metadata thatdependabot/fetch-metadata@v1gives me: