Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maintenance: Enable auto-merge for dependabot #126

Closed
bahrmichael opened this issue Jul 21, 2021 · 8 comments
Closed

Maintenance: Enable auto-merge for dependabot #126

bahrmichael opened this issue Jul 21, 2021 · 8 comments
Assignees
@dreamorosi
Labels
automation This item relates to automation completed This item is complete and has been merged/shipped dependencies Changes that touch dependencies, e.g. Dependabot, etc.

Comments

@bahrmichael
Copy link
Contributor

Description of the feature request

Problem statement

Today dependabot PRs require manual approval, which consists of checking if the PR builds succeeded and then merging the changes.

Summary of the feature

By enabling auto-merge for a dependabot pull requests we can reduce the required maintenance time, and focus our time on more creative tasks.

To auto-merge your pull requests, we can use GitHub's auto-merge functionality. This enables the pull request to be merged when all required tests and approvals are successfully met.

The auto-merge functionality lets us configure under which conditions we want to enable auto-merge. This lets us start with a list of trusted dependencies (e.g. aws-sdk) and a certain version type (e.g. patch). The example below limits auto-merge to patches of aws-sdk.

      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.metadata.outputs.dependency-names, 'aws-sdk') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}

Auto-merge requires permissions to write to PRs, as shown below:

permissions:
  pull-requests: write
  contents: write

Code examples

Below is an example that I copied from the Github docs and switched the trusted library to aws-sdk. I did not dive deep into the step Dependabot metadata yet.

name: Dependabot auto-merge
on: pull_request_target

permissions:
  pull-requests: write
  contents: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.0
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.metadata.outputs.dependency-names, 'aws-sdk') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Benefits for you and the wider AWS community

Maintainers spend less time on chores, and have more time to engage with the community.

Describe alternatives you've considered

I have not yet investigated alternatives, as this seems to be the recommended approach for Github.

With this issue I am not suggesting that we should enable the auto-merge feature through the GitHub UI.

Additional context

None yet.

Related issues, RFCs

None yet.
@alan-churley
Copy link
Contributor

alan-churley commented Jul 21, 2021
edited
Loading

I think that the new permisions on dependabot PRs would make this more difficult as the workflow will only have read only permission, so would not be able to do the merge

(https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/)

@dreamorosi
Copy link
Contributor

I agree that it'd reduce the maintenance load but not sure if the risk we'd introducing is worth the benefit.

Second @alan-churley opinion. There's a way of giving more privileges to the workflow but we should be careful as it exposes the repository to pwn requests. The main question here is do we trust dependabot enough to auto-merge whatever throws at us?

TL;DR: Combining pull_request_target workflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.

@pankajagrawal16
Copy link

pankajagrawal16 commented Jul 21, 2021
edited
Loading

This is automated in java repo https://github.com/awslabs/aws-lambda-powertools-java if you want to take inspiration from.

It works based on githubs new permission model.

As long as the build steps i.e. test cases pass, we merge the PR. It should be pretty safe trusting our own automated tests I think and saves us from alot of effort of manually merging PR.s

@dreamorosi dreamorosi added the automation This item relates to automation label Jul 21, 2021
@dreamorosi dreamorosi self-assigned this Aug 11, 2021
@dreamorosi dreamorosi mentioned this issue Aug 11, 2021
Merged
12 tasks
@bahrmichael
Copy link
Contributor Author

Resolved by #169

@github-actions
Copy link
Contributor

⚠️ COMMENT VISIBILITY WARNING ⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@dreamorosi dreamorosi mentioned this issue Aug 13, 2021
Closed
12 tasks
@saragerion saragerion reopened this Aug 23, 2021
@flochaz flochaz mentioned this issue Dec 2, 2021
Closed
@dreamorosi dreamorosi removed their assignment Dec 8, 2021
@dreamorosi dreamorosi added this to the production-ready-release milestone Dec 10, 2021
@stale
Copy link

stale bot commented Jan 9, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the pending-close-response-required This issue will be closed soon unless the discussion moves forward label Jan 9, 2022
@dreamorosi dreamorosi removed the pending-close-response-required This issue will be closed soon unless the discussion moves forward label Jan 18, 2022
@saragerion saragerion removed this from the production-ready-release milestone May 16, 2022
@dreamorosi
Copy link
Contributor

Given that we have disabled Dependabot updates in #992 is not relevant anymore. Closing it.

@github-actions
Copy link
Contributor

github-actions bot commented Jul 7, 2022

⚠️ COMMENT VISIBILITY WARNING ⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@dreamorosi dreamorosi added dependencies Changes that touch dependencies, e.g. Dependabot, etc. completed This item is complete and has been merged/shipped labels Nov 14, 2022
@dreamorosi dreamorosi self-assigned this Nov 14, 2022
@dreamorosi dreamorosi changed the title all: Enable auto-merge for dependabot Maintenance: Enable auto-merge for dependabot Nov 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dreamorosi dreamorosi

Labels
automation This item relates to automation completed This item is complete and has been merged/shipped dependencies Changes that touch dependencies, e.g. Dependabot, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bahrmichael @dreamorosi @pankajagrawal16 @saragerion @alan-churley