search

dorset-ics / healthcare-data-exchange

A FHIR based integration and interoperability platform to support a regional healthcare network.
https://dorset-ics.github.io/healthcare-data-exchange/
MIT License
5 stars 6 forks source link

Manage Dependabot PRs #68

Open balteravishay opened 1 month ago

balteravishay commented 1 month ago

Today dependabot PRs generate work that need to be managed manually, by approving and merging them. Suggestion to fix that by smartly using dependabot automation, as described in this guide.

The suggestion is to auto-approve and auto-merge if dependency got only minor or patch bump, and has not any security alerts If security alert exists, then no auto-approve/merge - mark as security for manual approval as well as all major bumps always manual review

High level code may look something like:

      - name: 🔀 Dependency Review
        uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
        with:
          repo-token: ${{ steps.get-token.outputs.BOT_TOKEN }}
          vulnerability-check: true
          license-check: true
          comment-summary-in-pr: true

      - name: 📝 Fetch Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0
        with:
          github-token: ${{ steps.get-token.outputs.BOT_TOKEN }}
          alert-lookup: true
          compat-lookup: true

      - name: 👍 Approve PR
        if: ${{ contains(fromJSON('["version-update:semver-patch", "version-update:semver-minor"]'), steps.dependabot-metadata.outputs.update-type) && steps.dependabot-metadata.outputs.ghsa-id == '' && steps.dependabot-metadata.outputs.cvss == 0 }}
        run: gh pr review --approve "${{ env.PR_URL }}"
        env:
          GITHUB_TOKEN: ${{ steps.get-token.outputs.BOT_TOKEN }}

      - name: 🤝 Auto-merge PR
        if: ${{ contains(fromJSON('["version-update:semver-patch", "version-update:semver-minor"]'), steps.dependabot-metadata.outputs.update-type) && steps.dependabot-metadata.outputs.ghsa-id == '' && steps.dependabot-metadata.outputs.cvss == 0 }}
        run: gh pr merge --auto --delete-branch --squash "${{ env.PR_URL }}"
        env:
          GITHUB_TOKEN: ${{ steps.get-token.outputs.BOT_TOKEN }}

      - name: 🚨 Label security
        if: ${{ steps.dependabot-metadata.outputs.ghsa-id != '' || steps.dependabot-metadata.outputs.cvss != 0 }}
        run: gh pr edit "${{ env.PR_URL }}" --add-label "no-combine,security"
        env:
          GITHUB_TOKEN: ${{ steps.get-token.outputs.BOT_TOKEN }}