Open MSevey opened 1 year ago
Looks like there is a nice action here https://github.com/marketplace/actions/dependabot-auto-merge
This should be all that is needed.
# For more information see https://github.com/marketplace/actions/dependabot-auto-merge
name: auto-merge
on:
pull_request:
jobs:
auto-merge:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
target: minor
# DEPENDABOT_AUTOMERGE_PAT is a celestiaorg level secret.
# It is a PAT for MSevey who should have sufficient permissions to perform the action on all repos.
github-token: ${{ secrets.DEPENDABOT_AUTOMERGE_PAT }}
# the `target` field defines the target version to auto merge.
# The default is patch, but it can be updated to include auto merging minor releases as well
# target: minor
Here is another alternative
another option in practice that I've been using.
workflow file
# Auto-merge Dependabot PRs. Requires also `.github/.kodiak.toml`.
dependabot:
needs: deploy
name: "Approve and Merge Dependabot PRs"
# - Must be a PR.
# - The latest actor must be Dependabot. This prevents other users from
# sneaking in changes into the PR.
if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }}
runs-on: ubuntu-latest
permissions: write-all
steps:
- uses: actions/checkout@v3
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v1.4.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Approve PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Enable auto-merge for Dependabot PRs
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
.kodiak.toml
# Auto-merge Dependabot PRs.
version = 1
[approve]
# note: remove the "[bot]" suffix from GitHub Bot usernames.
# Instead of "dependabot[bot]" use "dependabot".
auto_approve_usernames = ["dependabot"]
If a repo has sufficient CI, we should be able to safely auto merge dependabot PRs.
Some helpful references for how other projects have done it:- https://github.com/SkynetLabs/.github/blob/master/.github/actions/dependabot-approve-and-merge/action.yml- https://github.com/SkynetLabs/skynet-js/blob/master/.github/.kodiak.toml