Native Dependabot is not behaving the same as dependabot-preview

[gustavovnicius]

Native Dependabot is not showing the same behavior as dependabot-preview in two regards:

• Pull Requests do not get automatically rebased when the target-branch (aka main, master) gets updated. I have linear history protection enabled. The behavior I expect is that whenever something gets pushed into the target branch, that dependabot's branches get updated (rebased and force pushed, or re-ran from the latest target branch)
• Pull Requests do not get merged when I approve them. I have to explicitly type @dependabot merge (or equivalent). The behavior I expect is that Dependabot merges the PR automatically when I approve it.

Both behaviors that are expected, are how dependabot-preview always worked.

Basic info:

Package ecosystem

maven

Package manager version

Language version

Various java versions
Manifest location and content prior to update

N/A

Updated dependency

N/A

Native package manager behavior

N/A

Images of the diff or a link to the PR, issue or logs

Previous behavior in Dependabot Preview:

N/A

Current behavior in GitHub-native Dependabot:

N/A

[asciimike]

Pull Requests do not get automatically rebased when the target-branch (aka main, master) gets updated. I have linear history protection enabled. The behavior I expect is that whenever something gets pushed into the target branch, that dependabot's branches get updated (rebased and force pushed, or re-ran from the latest target branch)

The behavior in both should be, "auto-rebase when there is a reason why it would need to rebase, e.g. there are merge conflicts" not "rebase any time anything changes". I'll let some folks on the team color more in around the specifics, but auto-rebase still exists.

Pull Requests do not get merged when I approve them. I have to explicitly type @dependabot merge (or equivalent). The behavior I expect is that Dependabot merges the PR automatically when I approve it.

See #2268 for why automerge isn't currently supported.

[feelepxyz]

• Pull Requests do not get automatically rebased when the target-branch (aka main, master) gets updated. I have linear history protection enabled. The behavior I expect is that whenever something gets pushed into the target branch, that dependabot's branches get updated (rebased and force pushed, or re-ran from the latest target branch)

There's currently no way to tell dependabot to always rebase if the target branch is updated. There's currently only an auto option that tries to minimise rebases to cases that might cause merge conflicts. The logic for this is pretty lossy atm as we look for files that have changed in commits pushed to the target branch, and rebase open PRs when the commit changes a supported manifest file path. We also rebase open PRs when the schedule runs (e.g. daily).

It's not ideal, but you could set up a github action that is triggered on all pushes to the target branch and comments on open dependabot PRs with @dependabot rebase.

[gustavovnicius]

The behavior in both should be, "auto-rebase when there is a reason why it would need to rebase

@asciimike Yes! I have linear history protection. So dependabot should identify that and trigger a rebase automatically.
It beats the automation purpose if I have to click on the Update branch button (which creates a merge, not a rebase, screwing up the history) or if I have to type down @dependabot rebase – Many times there are like 10 PRs, I'd have to type it at least once for every PR, and wait for it to build. This is not how dependabot-preview works. It identifies when you have linear history protection and rebases it.

See #2268 for why automerge isn't currently supported.

@asciimike I'm not sure that's automerge... I don't want Dependabot to simply merge things on its own. I want it to merge and close the PR after I review and approve it (as there are restrictions requiring at least one review for a PR to be merged).

It's unnecessary and inefficient if, for every PR, I have to both approve and then type @dependabot merge. This is not how dependabot-preview works.

[gustavovnicius]

There's currently no way to tell dependabot to always rebase if the target branch is updated.

@feelepxyz , but dependabot-preview works exactly like that. I have linear history protection enabled, which means if the branch is not up to date with my target branch, I can't merge and close the PR. This is something that dependabot should identify (and that dependabot-preview does)

[asciimike]

Ok, it's this feature (the top one unchecked):

I think the closest feature is GitHub's automerge, where you approve a PR and it to merge once checks pass, which should be equivalent (e.g. wait for checks to pass, approval, etc.).

[feelepxyz]

@gustavovnicius you could set up an action that enables the github-native automerge on dependabot PRs, e.g.

name: Dependabot auto-merge
on: pull_request_target
jobs:
  dependabot:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Enable auto-merge for Dependabot PRs
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

And then set up branch protection with required approvals:

[jeffwidman]

Closing, as I think the current behavior is probably what we're going to stick with for now. I realize it's not an exact match for Dependabot-preview, but the suggested alternative solutions are good enough, such as GitHub's native automerge. I don't see us investing the time to change any of this anytime soon as it works "good enough".