search

ahmadnassri / action-dependabot-auto-merge

Automatically merge Dependabot PRs when version comparison is within range
MIT License
341 stars 48 forks source link

Consider combining this action with `dependabot/fetch-metadata` to support multi-dependency updates #209

Open AlCalzone opened 1 year ago

AlCalzone commented 1 year ago

I've noticed that this action fails when Dependabot creates a single PR for multiple updates. It is possible though to combine this with a helper-action from Dependabot to fetch the update metadata in a standardized format, making a lot of parsing here unnecessary:

# ...
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v1
        with:
          github-token: ${{ secrets.PAT }} # This must be a personal access token to fetch if a PR closes a security issue

The result can then be passed to this action:

# ...
        env:
          updatedDependenciesJson: ${{ steps.dependabot-metadata.outputs.updated-dependencies-json }}

which can then be parsed using JSON.parse and contains something like this:

[
    {
        dependencyName: 'prettier',
        dependencyType: 'direct:development',
        updateType: 'version-update:semver-patch',
        directory: '/prettier-and-types',
        packageEcosystem: 'npm_and_yarn',
        targetBranch: 'master',
        prevVersion: '',
        newVersion: '',
        compatScore: 0,
        alertState: '',
        ghsaId: '',
        cvss: 0
    },
    {
        dependencyName: '@types/prettier',
        dependencyType: 'direct:development',
        updateType: 'version-update:semver-patch',
        directory: '/',
        packageEcosystem: 'npm_and_yarn',
        targetBranch: 'master',
        prevVersion: '',
        newVersion: '',
        compatScore: 0,
        alertState: '', // <-- THIS will be "OPEN" if there is an open security issue
        ghsaId: '',
        cvss: 0
    }
]
hendrickson-tyler commented 1 year ago

Would love to see this enhancement as well. This is made especially important by the grouped version updates feature that was just released as a public beta for Dependabot.

ahmadnassri commented 1 year ago

this is the plan, a complete re-write to make it compatible / dependant on dependabot/fetch-metadata

hendrickson-tyler commented 1 month ago

@ahmadnassri Apologies for tagging you, but I'm curious on how this re-write is going? I have a lot more of my Dependabot updates grouped these days, so this feature would definitely be appreciated. Thanks for all your work on this action!