|
| 1 | +# Dependabot with auto-merge |
| 2 | + |
| 3 | +[working-with-dependabot]: https://docs.github.com/en/code-security/dependabot/working-with-dependabot |
| 4 | +[automating-dependabot]: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions |
| 5 | +[configure-dependabot-yaml]: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file |
| 6 | + |
| 7 | +[Dependabot][working-with-dependabot] is a security tool offered by GitHub. |
| 8 | +Dependabot scans your repositories for vulnerabilities and outdated dependencies, and may automatically open pull requests to bump dependency versions. |
| 9 | +The sheer volume of pull requests can incur a significant workload on your team, especially if you manage a lot of repositories. |
| 10 | + |
| 11 | +By completing this guide, Dependabot's pull requests on your repository will automatically get merged. |
| 12 | + |
| 13 | +## Enable Dependabot |
| 14 | + |
| 15 | +The contents of this file will depend on your project requirements. Do not use this file as-is. |
| 16 | +Please see [dependabot.yaml configuration syntax][configure-dependabot-yaml] for detailed instructions on how to configure Dependabot. |
| 17 | + |
| 18 | +```yaml |
| 19 | +# .github/dependabot.yaml |
| 20 | + |
| 21 | +version: 2 |
| 22 | +updates: |
| 23 | + - die: &I didn't edit my config file |
| 24 | + - package-ecosystem: "github-actions" |
| 25 | + directory: "/" |
| 26 | + schedule: |
| 27 | + interval: "daily" |
| 28 | + time: "10:05" |
| 29 | + timezone: "Europe/Oslo" |
| 30 | + - package-ecosystem: "docker" |
| 31 | + directory: "/" |
| 32 | + schedule: |
| 33 | + interval: "daily" |
| 34 | + time: "10:05" |
| 35 | + timezone: "Europe/Oslo" |
| 36 | +``` |
| 37 | +
|
| 38 | +## GitHub workflow for auto-merging Dependabot pull requests |
| 39 | +
|
| 40 | +This workflow will trigger when dependabot opens a pull request. |
| 41 | +All changes are automatically merged. |
| 42 | +See also [Automating Dependabot with GitHub Actions][automating-dependabot]. |
| 43 | +
|
| 44 | +```yaml |
| 45 | +# .github/workflows/dependabot-auto-merge.yaml |
| 46 | + |
| 47 | +name: Dependabot auto-merge |
| 48 | +on: pull_request |
| 49 | + |
| 50 | +permissions: |
| 51 | + contents: write |
| 52 | + pull-requests: write |
| 53 | + |
| 54 | +jobs: |
| 55 | + dependabot: |
| 56 | + runs-on: ubuntu-latest |
| 57 | + if: ${{ github.actor == 'dependabot[bot]' }} |
| 58 | + steps: |
| 59 | + - name: Dependabot metadata |
| 60 | + id: metadata |
| 61 | + uses: dependabot/fetch-metadata@v1 |
| 62 | + with: |
| 63 | + github-token: "${{ secrets.GITHUB_TOKEN }}" |
| 64 | + - name: Auto-merge changes from Dependabot |
| 65 | + if: steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.metadata.outputs.package-ecosystem == 'github_actions' |
| 66 | + run: gh pr merge --auto --squash "$PR_URL" |
| 67 | + env: |
| 68 | + PR_URL: ${{github.event.pull_request.html_url}} |
| 69 | + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |
| 70 | +``` |
| 71 | +
|
| 72 | +## Enable branch protection and auto-merge on repository |
| 73 | +
|
| 74 | +Change working directory to your git repository, then run this script. |
| 75 | +Otherwise, the workflow above might not work as expected. |
| 76 | +
|
| 77 | +```bash |
| 78 | +#!/bin/bash |
| 79 | +# source: https://github.com/navikt/dagpenger/blob/master/bin/enforce_branch_protection.sh |
| 80 | + |
| 81 | +# Get the current repository information |
| 82 | +repo_url=$(git remote get-url origin) |
| 83 | +repo_name=$(basename -s .git "$repo_url") |
| 84 | +owner=$(echo "$repo_url" | awk -F"(/|:)" '{print $2}') |
| 85 | + |
| 86 | +# Determine the name of the main branch |
| 87 | +main_branch=$(git symbolic-ref --short HEAD 2>/dev/null || git branch -l --no-color | grep -E '^[*]' | sed 's/^[* ] //') |
| 88 | + |
| 89 | +# Configure branch protection |
| 90 | +gh api repos/"$owner"/"$repo_name"/branches/"$main_branch"/protection \ |
| 91 | + --method PUT \ |
| 92 | + --silent \ |
| 93 | + --header "Accept: application/vnd.github.v3+json" \ |
| 94 | + --input ../.protection_settings.json |
| 95 | + |
| 96 | +# Enable auto-merge on repository |
| 97 | +echo '{ "allow_auto_merge": true, "delete_branch_on_merge": true }' | gh api repos/"$owner"/"$repo_name" \ |
| 98 | + --method PATCH \ |
| 99 | + --silent \ |
| 100 | + --header "Accept: application/vnd.github.v3+json" \ |
| 101 | + --input - |
| 102 | + |
| 103 | +if [ $? -eq 0 ]; then |
| 104 | + echo "Branch protection configured for $owner/$repo_name on branch $main_branch" |
| 105 | +else |
| 106 | + echo "Failed to configure branch protection for $owner/$repo_name on branch $main_branch" |
| 107 | +fi |
| 108 | +``` |
0 commit comments