1

Please help this learner out: I get frequent GitHub's dependabot alerts for "bumping" software versions to a more current one. My issue is I have to go into each (in my case, Django) app to pull or merge files. It tedious and time consuming to deal with my limited number of apps. How do professionals manage the process?

Is there a way to allow GitHub just bump whatever needs to be bumped (assuming one doesn't mind apps being broken)?

YCode
  • 1,192
  • 1
  • 12
  • 28

1 Answers1

2

Yes. You can use Github actions to do this. See the following blog post: Setting up Dependabot with GitHub actions to approve and merge

The code, the way it is now written, will only automatically merge minor and patch version changes. It will not merge major version changes, which are potentially breaking changes. You could remove that check, but it is not normally recommended.

You also need to change the following settings on your repo:

  • Settings -> Actions -> General -> check "Allow Github Actions to create and approve pull requests.
  • Settings -> General -> Pull Requests -> check "Allow auto-merge".

The contents of the Github workflow file, "dependabot-approve-and-auto-merge.yml", is:

name: Dependabot Pull Request Approve and Merge
on: pull_request_target
permissions:
  pull-requests: write
  contents: write
jobs:
  dependabot:
    runs-on: ubuntu-latest
    # Checking the actor will prevent your Action run failing on non-Dependabot
    # PRs but also ensures that it only does work for Dependabot PRs.
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      # This first step will fail if there's no metadata and so the approval
      # will not occur.
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v1.1.1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      # Here the PR gets approved.
      - name: Approve a PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # Finally, this sets the PR to allow auto-merging for patch and minor
      # updates if all checks pass
      - name: Enable auto-merge for Dependabot PRs
        if: ${{ steps.dependabot-metadata.outputs.update-type != 'version-update:semver-major' }}
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
John Pankowicz
  • 4,203
  • 2
  • 29
  • 47
  • Many of my repos are forked from tutorials etc. Many are no longer of interest (eg those in Ruby). Is there any harm to leave them as they are? Should I archive these? – YCode May 23 '22 at 14:25
  • 1
    If you're not deploying the code, there's no harm in never doing security updates. But you should turn off dependabot on these to avoid useless notifications. – John Pankowicz May 23 '22 at 15:25