The stuff I do

Automatically merging Dependabot PRs on Github

- 940 words -

← Posts

I have Dependabot set on many of my repos but I often get too lazy to check the PRs and merge them. On my api repo this is an issue because I really want to keep dependencies up to date. Here is what I did to have Dependabot's PRs merged automatically as they are created.

The file lives there on Github

At no point there is a need to generate a github access token by yourself. Dependabot will use its own

Setup tests 🔗

For my api repo I use mocha to run the tests. I have 3 commands to be able to run the tests

npm run env            # This triggers a podman-compose command starting the containers
./src/tools/ # Create the test database in the container
npm run tests:all      # Call mocha and run the tests

Setups in Github 🔗

Dependabot 🔗

Allow Dependabot to regularly create PRs with dependencies update.

In the Github repo settings: Security > Code security and analysis > Dependabot

Dependabot setup screen

Enable the Dependabot alerts

For better configuration a file github/dependabot.yml can be created in the repo, see the doc for more details.

Actions settings 🔗

Allow GitHub Actions to create and approve pull requests. This is needed because the workflow we will trigger will be responsible for approving the PR automatically.

In the Github repo settings: Code and automation > Actions > General > Workflow permissions

Actions settings screen

Enable the actions to modify PRs

Branch protection 🔗

In the Github repo settings: Code and automation > Branches > Add rule

The rule needs to apply to the main branch (i.e. the one we'll be merging to).

We need two checks enforced by the rule:

Branch protection screen

Enforce PR approval and checks

Setup the workflow 🔗

In the repo create a file for the workflow like .github/workflows/dependabot-auto-merge.yml

Trigger 🔗

We will trigger the workflow on PRs.

TODO Find a way to trigger only for dependabot PRs, for now all MR will be automatically merged if they pass the tests.

name: Test and AutoMerge PRs

        types: [opened, synchronize, edited]
        branches: [main]

Permissions 🔗

This changes the permissions of the github token that dependabot gets when creating the PR, we need two additional permissions.

    # This is needed to approve the PR
    pull-requests: write
    # This is needed to merge the PR
    contents: write

Without these permissions the calls the the gh cli in the next steps fail with errors similar to this:

gh cli permission error

Example of gh permission error

Filter dependabot 🔗

One way to have the whole workflow triggered only for dependabot's PR is to add a condition for the job:

        if: == 'dependabot[bot]'
        runs-on: ubuntu-latest
            # [...]

This could be improved to better factorize the code and have the tests running on all MR and the auto merge running only on dependabot PRs but since I'm the only one working on this repo and I don't use PRs for other reasons I will not bother with that.

Repo setup and tests 🔗

This is dependent on all repos though the important part is to run some tests. Here we need several setup steps:

If these steps fail the following one will fail too, so the PRs tests will fail and the code will not be merged.

    runs-on: ubuntu-latest
      - name: Install python 3
        uses: actions/setup-python@v5
          python-version: '3.x'

      - name: Install podman
        uses: gacts/install-podman@v1

      - name: Install podman-compose
        run: pip3 install podman-compose

      - name: Install node.js
        uses: actions/setup-node@v4
          node-version: 'latest'

      - name: Checkout code
        uses: actions/checkout@v2
          ref: ${{ github.head_ref }}

      - name: Install dependencies
        run: npm ci

      - name: Start podman environment
        run: npm run env

      - name: Init db
        run: ./src/tools/

      - name: Run tests
        run: npm run tests:all

Handle the PR 🔗

Three important steps:

    runs-on: ubuntu-latest
      # [...]
      # Setup and test steps
      # [...]

      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
          github-token: "${{secrets.GITHUB_TOKEN}}"

      - name: Approve the PR
        run: gh pr review --approve "$PR_URL"
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

      - name: Auto-merge the PR
        run: gh pr merge --rebase --auto "$PR_URL"
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Result 🔗

Once all of that is configured the Dependabot PRs should be automatically handled.

PR checks tab

The check tab of the PR should have some results

PR checks results

The checks should point to a succesful action

PR bots results

The various bots should have acted on the PR

Notification 🔗

When all of that is succesful I get emails from Github both for when the bot approves the PR and for when it merges it.

← Posts

Related posts

No other posts in the category [github]


Back to top