Name: dependabot/fetch-metadata
Extract information about the dependencies being updated by a Dependabot-generated PR.
Create a workflow file that contains a step that uses: dependabot/fetch-metadata@v2
, e.g.
-- .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
jobs:
build:
permissions:
pull-requests: read
runs-on: ubuntu-latest
steps:
- name: Fetch Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2
with:
alert-lookup: true
compat-lookup: true
github-token: "${{ secrets.PAT_TOKEN }}"
Supported inputs are:
github-token
(string)
GITHUB_TOKEN
secret${{ github.token }}
alert-lookup
or compat-lookup
.alert-lookup
(boolean)
true
, then populate the alert-state
, ghsa-id
and cvss
outputs.false
github-token
field must be set to a personal access token (PAT).compat-lookup
(boolean)
true
, then populate the compatibility-score
output.false
github-token
field must be set to a personal access token (PAT).skip-commit-verification
(boolean)
true
, then the action will not expect the commits to have a verification signature. It is required to set this to 'true' in GitHub Enterprise Serverfalse
skip-verification
(boolean)
true
, the action will not validate the user or the commit verification statusfalse
Subsequent actions will have access to the following outputs:
steps.dependabot-metadata.outputs.dependency-names
steps.dependabot-metadata.outputs.dependency-type
direct:production
, direct:development
and indirect
. See the allow
documentation for descriptions of each.steps.dependabot-metadata.outputs.update-type
version-update:semver-major
. For all possible values, see the ignore
documentation.steps.dependabot-metadata.outputs.updated-dependencies-json
steps.dependabot-metadata.outputs.directory
directory
configuration that was used by dependabot for this updated Dependency.steps.dependabot-metadata.outputs.package-ecosystem
package-ecosystem
configuration that was used by dependabot for this updated Dependency.steps.dependabot-metadata.outputs.target-branch
target-branch
configuration that was used by dependabot for this updated Dependency.steps.dependabot-metadata.outputs.previous-version
steps.dependabot-metadata.outputs.new-version
steps.dependabot-metadata.outputs.alert-state
alert-lookup
is true
, this contains the current state of that alert (OPEN, FIXED or DISMISSED).steps.dependabot-metadata.outputs.ghsa-id
alert-lookup
is true
, this contains the GHSA-ID of that alert.steps.dependabot-metadata.outputs.cvss
alert-lookup
is true
, this contains the CVSS value of that alert (otherwise it contains 0).steps.dependabot-metadata.outputs.compatibility-score
compat-lookup
is true
, this contains the compatibility score (otherwise it contains 0).steps.dependabot-metadata.outputs.maintainer-changes
steps.dependabot-metadata.outputs.dependency-group
Note: By default, these outputs will only be populated if the target Pull Request was opened by Dependabot and contains
only Dependabot-created commits. To override, see skip-commit-verification
/ skip-verification
.
For workflows initiated by Dependabot (github.actor == 'dependabot[bot]'
) using the pull_request_target
event, if the base ref of the pull request was created by Dependabot (github.event.pull_request.user.login == 'dependabot[bot]'
), the GITHUB_TOKEN
will be read-only and secrets are not available.
This metadata can be used along with Action's expression syntax and the GitHub CLI to create useful automation for your Dependabot PRs.
Since the dependabot/fetch-metadata
Action will set a failure code if it cannot find any metadata, you can
have a permissive auto-approval on all Dependabot PRs like so:
name: Dependabot auto-approve
on: pull_request
permissions:
pull-requests: write
jobs:
dependabot:
runs-on: ubuntu-latest
# Checking the author will prevent your Action run failing on non-Dependabot PRs
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2
- uses: actions/checkout@v4
- name: Approve a PR if not already approved
run: |
gh pr checkout "$PR_URL" # sets the upstream metadata for `gh pr status`
if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
then gh pr review --approve "$PR_URL"
else echo "PR already approved, skipping additional approvals to minimize emails/notification noise.";
fi
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
If you are using the auto-merge feature on your repository, you can set up an action that will enable Dependabot PRs to merge once CI and other branch protection rules are met. (Note that you must use a personal access token (PAT) when executing the merge instruction.)
For example, if you want to automatically merge all patch updates to Rails:
name: Dependabot auto-merge
on: pull_request
permissions:
pull-requests: write
contents: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2
- name: Enable auto-merge for Dependabot PRs
if: ${{contains(steps.dependabot-metadata.outputs.dependency-names, 'rails') && steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}}
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
If you have other automation or triage workflows based on GitHub labels, you can configure an action to assign these based on the metadata.
For example, if you want to flag all production dependency updates with a label:
name: Dependabot auto-label
on: pull_request
permissions:
pull-requests: write
issues: write
repository-projects: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2
- name: Add a label for all production dependencies
if: ${{ steps.dependabot-metadata.outputs.dependency-type == 'direct:production' }}
run: gh pr edit "$PR_URL" --add-label "production"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
## Dependabot PR's - We expect Dependabot PRs to be passing CI and have any changes to the `dist/` folder built for production dependencies - Some development dependencies may fail the `dist/` check if they modify the Typescript compilation, these should be updated manually via `npm run build`. See the [`dependabot-build`](https://github.com/dependabot/fetch-metadata/blob/main/.github/workflows/dependabot-build.yml) action for details. ## Tagging a new release Publish a new release by running the [`Release - Bump Version`](https://github.com/dependabot/fetch-metadata/actions/workflows/release-bump-version.yml) workflow and following the instructions on the job summary. In a nutshell the process will be: 1. Run the action to generate a version bump PR. 2. Merge the PR. 3. Tag that merge commit as a new release using the format `v1.2.3`. The job summary contains a URL pre-populated with the correct version for the title and tag. 4. Once the release is tagged, another GitHub Action workflow automatically moves the `v2` tracking tag to point to the new version.