Please add an option to distinguish between production, dev dependencies and security fixes

[AlCalzone]

I'm looking for a way to replace the missing auto-merge functionality from dependabot, so your project is a godsend. However its missing a crucial feature for me. In the old dependabot I could configure production and dev dependencies differently. I had it configured the following way:

• auto-merge patch updates to production dependencies
• auto-merge minor updates to dev dependencies
• auto-merge minor and patch security fixes

It would be great if you could add this feature :)

[AlCalzone]

The kind of dependencies should also be detectable by the PR header, although I'm not sure if this is because I'm using conventional-commits: and the security label

[ahmadnassri]

I use conventional commits to wherever I can ... however I do believe the "form x to y" section is the same no matter what ... that said, dependabot docs are a bit disorganized after the acquisition by github and I can't find a good reference ...

that said ...

• it should be a fairly easy attempt to discover prod-vs-dev dependencies, and safely fall-back to standard behaviour when un-detectable
• this action will also work for other non-node things, so not even sure how those would look ...

I do like the idea of adding granular configuration for this, however, it's not currently a priority for me, so I might not get around to it this week ... in the meantime, PRs are welcome!

couple of quick thoughts:

• the action "inputs" are limited to strings, so, in order to have additional configuration (as a full object) perhaps a config file is needed to be stored in the repo, preferably under .github/auto-merge.yml
• if this is the path to go forward, perhaps adopting the original dependabot syntax .... https://dependabot.com/docs/config-file/#automerged_updates

would be great to see a PR to assist in this setup!

thanks

[AlCalzone]

would be great to see a PR to assist in this setup!

I can give it a shot. The original syntax seems to make sense IMO. Do you know how to read a file from the repo from inside the action? I haven't worked with docker actions yet.

[ahmadnassri]

this is the section in the docs for accessing the filesystem path: https://docs.github.com/en/actions/reference/virtual-environments-for-github-hosted-runners#filesystems-on-github-hosted-runners

[AlCalzone]

PR is up at #10 :)

[github-actions[bot]]

:tada: This issue has been resolved in version 2.0.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: