This Github action allows to handle Dependabot pull requests.
Based on dependencies versions, sensitiveness or project preferences, it is possible to automatically review a PR and ask Dependabot to squash and merge upon checks success (tests, deploy, linter...).
💡 Interactions with Dependabot are done through a Github personal access token. It means that the action will answer and give commands to dependabot on the behalf of the token's owner.
📚 For development documentation, read the Contributing file.
In order to add this action to a repository, you need to create a new workflow:
# .github/workflows/auto-merge.yaml
name: AutoMerge
on:
push:
branches: [main]
pull_request:
types: [opened, reopened, synchronize]
jobs:
auto-merge:
runs-on: ubuntu-latest
name: Approve and ask for merge
# It is advised to add this line in order to totally skip the code execution
# in case Dependabot is not the requester.
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: 🔬 Auto merge
uses: fewlinesco/dependabot-auto-merge@vx.x.x # Use the latest version
with:
github-token: ${{ secrets.GH_TOKEN }}This basic configuration will allow any pull request from Dependabot to be approved and merged.
💡 Tip: It is recommended to update your dependencies before adding the action because it can be long, based on the time one PR needs to pass checks and the number of dependencies need to be updated. Keep in mind that for every pull request merged, every remaining one will be rebased and approved again. (e.g: Given 10 outdated dependencies, it would process 45 rebases: n * (n - 1) / 2 where n is the number of pull requests).
# ...
- name: 🔬 Auto merge
uses: fewlinesco/dependabot-auto-merge@vx.x.x
with:
github-token: ${{ secrets.GH_TOKEN }}The github-token input is required. It is a Github PAT and therefore allows the Github action to act as a user.
For this Github action, the required token's scopes are read:org, repo, workflow, write:discussion.
It's also required to register github token into Dependabot's secrets on the Repository (⚙️ settings > secrets > dependabot).
A list of dependencies on which you want additional control. The syntax is <dependency-name>[:<limitation>]:
# ...
- name: 🔬 Auto merge
uses: fewlinesco/dependabot-auto-merge@vx.x.x
with:
github-token: ${{ secrets.GH_TOKEN }}
npm-disallowlist: pkg-a:major pkg-b:minor
gha-disallowlist: >
pkg-c:patch
pkg-d pkg-e*One line and multiline syntax are allowed.
In this example:
pkg-a:majormeans major bumps won't be allowed forpkg-a. But minors and patches can still be auto merged.pkg-b:minormeans major and minor bumps won't be allowed forpkg-b. But patches can still be auto merged.pkg-c:patchandpkg-dis a different syntax for the same thing: no auto merge allowed.- The usage of
*at the end like inpkg-e*means that every package with a name starting withpkg-ewill be impacted. It is cumulative with bump level. e.g: we could want to freeze every@typescript-eslint/somethingpackage on a major version:@typescript-eslint/*:major.
# ...
- name: 🔬 Auto merge
uses: fewlinesco/dependabot-auto-merge@vx.x.x
with:
github-token: ${{ secrets.GH_TOKEN }}
reviewers: FirstReviewer SecondReviewerReviewers must be valid Github usernames. If the auto merge action is not allowed, the PAT will allow to ask a review from them.
💡 If you go with this option, we recommend you to remove the reviewers from your Dependabot config file: It would defeat the purpose to only add reviewers if the auto merge is not possible.
This project has been inspired by Ahmad Nassri's work on Dependabot Auto Merge.