Skip to content
This repository has been archived by the owner on Jan 5, 2025. It is now read-only.

Manage Dependabot PRs #68

Open
balteravishay opened this issue May 22, 2024 · 0 comments
Open

Manage Dependabot PRs #68

balteravishay opened this issue May 22, 2024 · 0 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@balteravishay
Copy link
Contributor

balteravishay commented May 22, 2024
edited
Loading

Today dependabot PRs generate work that need to be managed manually, by approving and merging them.
Suggestion to fix that by smartly using dependabot automation, as described in this guide.

The suggestion is to auto-approve and auto-merge if dependency got only minor or patch bump, and has not any security alerts
If security alert exists, then no auto-approve/merge - mark as security for manual approval as well as all major bumps always manual review

High level code may look something like:

      - name: 🔀 Dependency Review
        uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
        with:
          repo-token: ${{ steps.get-token.outputs.BOT_TOKEN }}
          vulnerability-check: true
          license-check: true
          comment-summary-in-pr: true

      - name: 📝 Fetch Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0
        with:
          github-token: ${{ steps.get-token.outputs.BOT_TOKEN }}
          alert-lookup: true
          compat-lookup: true

      - name: 👍 Approve PR
        if: ${{ contains(fromJSON('["version-update:semver-patch", "version-update:semver-minor"]'), steps.dependabot-metadata.outputs.update-type) && steps.dependabot-metadata.outputs.ghsa-id == '' && steps.dependabot-metadata.outputs.cvss == 0 }}
        run: gh pr review --approve "${{ env.PR_URL }}"
        env:
          GITHUB_TOKEN: ${{ steps.get-token.outputs.BOT_TOKEN }}

      - name: 🤝 Auto-merge PR
        if: ${{ contains(fromJSON('["version-update:semver-patch", "version-update:semver-minor"]'), steps.dependabot-metadata.outputs.update-type) && steps.dependabot-metadata.outputs.ghsa-id == '' && steps.dependabot-metadata.outputs.cvss == 0 }}
        run: gh pr merge --auto --delete-branch --squash "${{ env.PR_URL }}"
        env:
          GITHUB_TOKEN: ${{ steps.get-token.outputs.BOT_TOKEN }}

      - name: 🚨 Label security
        if: ${{ steps.dependabot-metadata.outputs.ghsa-id != '' || steps.dependabot-metadata.outputs.cvss != 0 }}
        run: gh pr edit "${{ env.PR_URL }}" --add-label "no-combine,security"
        env:
          GITHUB_TOKEN: ${{ steps.get-token.outputs.BOT_TOKEN }}
@balteravishay balteravishay added enhancement New feature or request good first issue Good for newcomers labels May 22, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@balteravishay