Support for automerge in GitHub Native Dependabot
#2268
Comments
|
@feelepxyz I saw that issue but it is about v1. I am asking about v2 |
|
@UziTech ah yes sorry that issue is confusing. Here's the comment reffering to v2 support: #1823 (comment) |
|
@feelepxyz It seems like the comments about automerging in v2 are spread into issues about other things. I still feel like this isn't a duplicate of any of those since none of those issues are specifically about auto-merge in v2. Some of them are also closed making it harder for a person to find them. I think it would be easier for people to find the reasoning behind the removal if this issue remained open until it is resolved. Though I feel like a link to this #1823 (comment) is good enough for an answer for now. |
|
In case anyone wants the ability to auto merge you can accomplish this with github actions: The token used must have ...
Automerge:
needs: [Test, Lint]
runs-on: ubuntu-latest
if: |
github.actor == 'dependabot[bot]' &&
github.event_name == 'pull_request' &&
startsWith(github.event.pull_request.title, 'chore(deps-dev):')
steps:
- name: '@dependabot merge'
uses: actions/github-script@v2
with:
github-token: ${{secrets.GH_TOKEN}}
script: |
await github.issues.createComment({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
issue_number: context.payload.pull_request.number,
body: '@dependabot merge'
}) |
|
@UziTech I'm having trouble with which Personal Access Token scope to use. You said you need either public_repo or push permission. Which scope permission is that (the push permission)? |
|
@Clumsy-Coder If it is a public repo this is all you should need:
There isn't a permission called "push" but any token that is able to push commits should work. |
|
@UziTech I'm using a private repo. Do I need repo permission (and all it's sub permissions)? |
|
Yes I believe |
|
@UziTech Thanks. That worked. |
|
It seems like this solution fails with protected branches? (The |
|
@ZebraFlesh you can try using the pascalgn/automerge-action to merge with a user other than dependabot. |
|
@UziTech Thanks, that's an interesting work around. However, I'm not thrilled about consuming yet more Actions minutes because dependabot broke the |
|
We got the alternative here: https://twitter.com/github/status/1336360682221133827?s=20
|
|
@peaceiris Is that a button that you have to push on every pull request? This issue is more about not even having to look at the pull request or need any human interaction for merging dependency updates. |
|
We do not know the details yet. It will start rolling out next week. I hope we can set the auto-merge for a whole repository/account without approval. |
|
According to the roadmap it will be a button that can be pressed when a PR is submitted by a person with push access. I don't think this will do anything for dependabot ☹. |
|
It seems like all of these automerge work arounds are failing now since dependabot does not have access to any secrets in the repository. |
|
as @UziTech said, we can't use personal access tokens on Github actions triggered from dependabot. I think it's time to raise the priority of this bug. Thanks for your awesome work. |
|
Looks like it could be possible to still workaround it, with the |
|
👋 Sorry for the inconvenience this change has caused. We know it's a pain to rejig workflows around this new limitation but we felt it was necessary considering the potential risk. We've put together a sample workflow for updating a dependabot pr that might be a useful reference for automerging using actions: https://github.com/dependabot/dependabot-actions-workflow/tree/main/.github/workflows |
|
I've also replaced dependabot with renovate bot, and I can recommend everybody interested doing the same. I don't know what was so difficult in renaming The fact that you've decided to announce the shutdown of native Dependabot before resurrecting this feature as part of your "investigation" in #1823 (comment) was the final nail in the coffin for me. Defending your decision with that argument yet recommending people to use third-party solutions to re-enable automerge is a total hypocrisy to me. So long dependabot, yet another great product that went downhill after acquisition. |
|
For anyone looking for a work around here is a simple script that uses name: "Automerge"
on:
workflow_run:
workflows:
- CI
types:
- completed
jobs:
Automerge:
runs-on: ubuntu-latest
if: |
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
steps:
- name: 'Merge PR'
uses: actions/github-script@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const pr = await github.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.payload.workflow_run.pull_requests[0].number,
});
if (!pr.data.title.startsWith('chore(deps-dev):')) {
console.log('Not Merged 🚫');
console.log(`Title '${pr.data.title}' does not start with 'chore(deps-dev):'`);
} else if (pr.data.user.login !== 'dependabot[bot]') {
console.log('Not Merged 🚫');
console.log(`User '${pr.data.user.login}' does not equal 'dependabot[bot]'`);
} else {
await github.pulls.merge({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.payload.workflow_run.pull_requests[0].number,
});
console.log('Merged 🎉');
}You can see it in action here. |
|
And for folks who need metadata (e.g. name of the dependency, semver, dev/prod, etc.) we have published an action that provides this and have some info on how it can be used to enable GitHub's auto-merge: https://github.com/marketplace/actions/fetch-metadata-from-dependabot-prs#enabling-auto-merge. If folks want, it can also be re-purposed for any other approval or merge flow. |
|
Nice! That's really a great news. Thanks @asciimike! |
|
@asciimike good stuff! If I understand correctly, it follows that the simplest workflow I can have to just auto approve and auto merge all dependabot PRs would be: name: Dependabot auto-approve and auto-merge
on: pull_request_target
permissions:
pull-requests: write
content: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v1.1.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Auto approve
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
- name: Auto merge
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}This would still leverage the |
|
@gitfool 👍 There are a few rough edges to be aware of around enabling auto-merging. It currently only works if a PR has a branch protection enabled with at least a required review or a required CI check, and these are still outstanding. You'll need to enable auto-merge before approving the PR if you don't have CI and only require review. Here's an issue explaining the current limitation with the gc cli. Here's a more in-depth answer about auto-merge requirements. |
|
If anyone is looking for a holistic approach, my company is maintaining a Merge Me! Action which works with both Dependabot and other bots: https://github.com/marketplace/actions/merge-me. |
|
I'm trying to use the |
|
I had to do some slight tweaks to get dependency automerges working for me: |
|
I just wanted to let people know that it's still not possible to automerge with https://github.com/marketplace/actions/fetch-metadata-from-dependabot-prs#enabling-auto-merge if you have |
|
Closing as this discussion has run its course. I don't see us enabling auto-merge anytime soon for the reasons mentioned above, but there are several potential workarounds described in this issue for those "who really need it". |
|
We are starting to look at some auto-merge use cases for very specific situations. We don't have details to share publicly yet, but you can follow this issue to get notified of further updates: Please be mindful of https://github.com/dependabot/dependabot-core#no-1-comments, and instead 👍 the top post of that issue. |
The
automerged_updatesoptions seems to have been removed in v2 according to the docs. Is there a way to automerge v2?The text was updated successfully, but these errors were encountered: