Distinguish dependency type, security fixes and add config file

ahmadnassri / action-dependabot-auto-merge

Automatically merge Dependabot PRs when version comparison is within range

MIT License

342 stars 48 forks source link

Distinguish dependency type, security fixes and add config file #10

Closed AlCalzone closed 4 years ago

AlCalzone commented 4 years ago

With this PR, the action now tries to determine whether a dependency is a production or development dependency and checks whether the update is security critical.

More fine-grained merge options are now available through .github/auto-merge.yml, which is based on the automerged_updates key of the original dependabot config. If both a target and this file are given, the config file is preferred.

fixes: #7

ahmadnassri commented 4 years ago

Thank you! this is amazing 🙏 I'll read through and review through the week.

in the meantime, could you please add some tests to cover all scenarios added here?

AlCalzone commented 4 years ago

I'll see what I can do

AlCalzone commented 4 years ago

I think I got it all now :)

ahmadnassri commented 4 years ago

thank you for getting this done it's been a busy week for me but I'll carve out sometime this weekend to get this f merged

ahmadnassri commented 4 years ago

this is amazingly thorough, thank you for putting in the effort and sorry for taking longer to get back to it.

I left some comments & suggestions, and a couple of questions, no show stoppers from merging, so please let me know if you are willing & have the time for some of the suggested tweaks / optimization ... otherwise I will take that on.

AlCalzone commented 4 years ago

All your comments should be addressed now :)

github-actions[bot] commented 4 years ago

:tada: This PR is included in version 2.0.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

ahmadnassri commented 4 years ago

thank you for all the effort to get this done @AlCalzone 👏 👏 👏

AlCalzone commented 4 years ago

No problem, but I fear we need to do another round: With this config https://github.com/AlCalzone/node-zwave-js/blob/master/.github/workflows/dependabot-automerge.yml https://github.com/AlCalzone/node-zwave-js/blob/master/.github/auto-merge.yml this PR https://github.com/AlCalzone/node-zwave-js/pull/953 yielded this log:

using workflow's "target": 
- match:
    dependency_type: all
    update_type: 'semver:patch'

title: "build(deps-dev): bump jest-circus from 26.4.1 to 26.4.2"
depName: jest-circus
from: 26.4.1
to: 26.4.2
dependency type: development
security critical: false
manual merging required

I would have expected the following:

The configured config instead of the fallback one
auto-merge instead of manual merge