search

celestiaorg / .github

7 stars 9 forks source link

Proposal: Dependabot auto merge #17

Open MSevey opened 1 year ago

MSevey commented 1 year ago

If a repo has sufficient CI, we should be able to safely auto merge dependabot PRs.

Some helpful references for how other projects have done it:

- https://github.com/SkynetLabs/.github/blob/master/.github/actions/dependabot-approve-and-merge/action.yml - https://github.com/SkynetLabs/skynet-js/blob/master/.github/.kodiak.toml

MSevey commented 1 year ago

Looks like there is a nice action here https://github.com/marketplace/actions/dependabot-auto-merge

MSevey commented 1 year ago

This should be all that is needed.

# For more information see https://github.com/marketplace/actions/dependabot-auto-merge
name: auto-merge

on:
  pull_request:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          target: minor
          # DEPENDABOT_AUTOMERGE_PAT is a celestiaorg level secret. 
          # It is a PAT for MSevey who should have sufficient permissions to perform the action on all repos.
          github-token: ${{ secrets.DEPENDABOT_AUTOMERGE_PAT }}
          # the `target` field defines the target version to auto merge. 
          # The default is patch, but it can be updated to include auto merging minor releases as well 
          # target: minor
MSevey commented 1 year ago

Here is another alternative

https://github.com/fastify/github-action-merge-dependabot

MSevey commented 1 year ago

another option in practice that I've been using.

workflow file

  # Auto-merge Dependabot PRs. Requires also `.github/.kodiak.toml`.
  dependabot:
    needs: deploy
    name: "Approve and Merge Dependabot PRs"
    # - Must be a PR.
    # - The latest actor must be Dependabot. This prevents other users from
    #   sneaking in changes into the PR.
    if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }}
    runs-on: ubuntu-latest
    permissions: write-all
    steps:
      - uses: actions/checkout@v3
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.4.0
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Approve PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Enable auto-merge for Dependabot PRs
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.kodiak.toml

# Auto-merge Dependabot PRs. 

version = 1

[approve]
# note: remove the "[bot]" suffix from GitHub Bot usernames.
# Instead of "dependabot[bot]" use "dependabot".
auto_approve_usernames = ["dependabot"]