Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I automerge dependabot updates (config version 2)?

Following "Dependabot is moving natively into GitHub!", I had to update my dependabot config files to use version 2 format.

My .dependabot/config.yaml did look like:

version: 1
update_configs:
  - package_manager: "python"
    directory: "/"
    update_schedule: "live"
    automerged_updates:
      - match:
          dependency_type: "all"
          update_type: "all"

I've got the following working:

version: 2
updates:
- package-ecosystem: pip
  directory: "/"
  schedule:
    interval: daily

but I can't seem to add the automerge option again (when checking with the dependabot validator)?

like image 812
andyandy Avatar asked Sep 29 '20 09:09

andyandy


People also ask

How do I configure dependabot to update the versions of dependencies?

The dependabot.yml file has two mandatory top-level keys: version, and updates. You can, optionally, include a top-level registries key. The file must start with version: 2. The top-level updates key is mandatory. You use it to configure how Dependabot updates the versions or your project's dependencies.

How to automatically merge dependabot PRS?

Copy and paste the following snippet into your .yml file. Automatically merge Dependabot PRs when version comparison is within range. Note: Dependabot will wait until all your status checks pass before merging. This is a function of Dependabot itself, and not this Action.

How does dependabot edit manifest files to update a version?

When Dependabot edits a manifest file to update a version, it uses the following overall strategies: For apps, the version requirements are increased, for example: npm, pip and Composer. For libraries, the range of versions is widened, for example: Bundler and Cargo.

How do I change the time of day for dependabot updates?

Use schedule.time to specify an alternative time of day to check for updates (format: hh:mm ). By default, Dependabot checks for new versions at a random set time for the repository.


1 Answers

Here is one solution that doesn't require any additional marketplace installations (originally found here). Simply create a new GitHub workflow (e.g. .github/workflows/dependabotautomerge.yml) containing:

name: "Dependabot Automerge - Action"

on:
  pull_request:

jobs:
  worker:
    runs-on: ubuntu-latest

    if: github.actor == 'dependabot[bot]'
    steps:
      - name: automerge
        uses: actions/[email protected]
        with:
          script: |
            github.pullRequests.createReview({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              pull_number: context.payload.pull_request.number,
              event: 'APPROVE'
            })
            github.pullRequests.merge({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              pull_number: context.payload.pull_request.number
            })
          github-token: ${{github.token}}

There are also various third-party solutions available on GitHub Marketplace.

like image 100
andyandy Avatar answered Nov 03 '22 00:11

andyandy