Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/fastify/github-action-merge-dependabot
This action automatically approves and merges dependabot PRs.
https://github.com/fastify/github-action-merge-dependabot
dependabot pull-requests
Last synced: about 1 month ago
JSON representation
This action automatically approves and merges dependabot PRs.
- Host: GitHub
- URL: https://github.com/fastify/github-action-merge-dependabot
- Owner: fastify
- License: other
- Created: 2020-11-11T14:23:33.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2024-04-10T18:49:02.000Z (7 months ago)
- Last Synced: 2024-04-14T10:11:05.260Z (7 months ago)
- Topics: dependabot, pull-requests
- Language: JavaScript
- Homepage:
- Size: 3.16 MB
- Stars: 151
- Watchers: 15
- Forks: 35
- Open Issues: 15
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Github Action Merge Dependabot
This action automatically approves and merges dependabot PRs.
## Usage
Configure this action in your workflows providing the inputs described below.
Note that this action requires a GitHub token with additional permissions. You must use the [`permissions`](https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions) tag to specify the required rules or configure your [GitHub account](https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/).
The permissions required are:
- [`pull-requests`](https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#pull-requests): it is needed to approve PRs.
- [`contents`](https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#contents): it is necessary to merge the pull request. You don't need it if you set `approve-only: true`, see [Approving without merging](#approving-without-merging) example below.
If some of the required permissions are missing, the action will fail with the error message:
```
Error: Resource not accessible by integration
```
## Inputs
| input | required | default | description |
| -------------------------- | -------- | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `github-token` | No | `${{github.token}}` | A GitHub token. |
| `exclude` | No | | A comma or semicolon separated value of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not. |
| `approve-only` | No | `false` | If `true`, the PR is only approved but not merged. |
| `merge-method` | No | `squash` | The merge method you would like to use (squash, merge, rebase). |
| `merge-comment` | No | `''` | An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're receiving too much of noise in email and would like to filter mails for PRs that got automatically merged. |
| `use-github-auto-merge` | No | `false` | If `true`, the PR is marked as auto-merge and will be merged by GitHub when status checks are satisfied.
_NOTE_: This feature only works when all of the following conditions are met.
- The repository enables auto-merge.
- The pull request base must have a branch protection rule.
- The pull request's status checks are not yet satisfied.
Refer to [the official document](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) about GitHub auto-merge. |
| `target` | No | `any` | A flag to only auto-merge updates based on Semantic Versioning.
Possible options are: `major, premajor, minor, preminor, patch, prepatch, prerelease, any`.
The value of this flag allows for updates for all the matching versions **and lower** with the respect for priority. This means, for example, if the `target` is set to `major` and the update is made to `minor` version the auto-merge will be triggered.
For more details on how semantic version difference is calculated please see [semver](https://www.npmjs.com/package/semver) package.
If you set a value other than `any`, PRs that are not semantic version compliant are skipped. An example of a non-semantic version is a commit hash when using git submodules. |
| `target-development` | No | | Same as `target` but specifies semver for `development` dependencies only. If present, then it overrides the value in `target` for `development` dependencies. |
| `target-production` | No | | Same as `target` but specifies semver for `production` dependencies only. If present, then it overrides the value in `target` for `production` dependencies. |
| `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. |
| `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. |
| `skip-verification` | No | `false` | If true, the action will not validate the user or the commit verification status |
## Output
| outputs | Description |
| ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| merge_status | The result status of the merge. It can be one of the following: `approved`, `merged`, `auto_merge`, `merge_failed`, `skipped:commit_verification_failed`, `skipped:not_a_dependabot_pr`, `skipped:cannot_update_major`, `skipped:bump_higher_than_target`, `skipped:packaged_excluded` |
## Examples
### Basic example
```yml
name: CI
on:
push:
branches:
- main
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
# ...
automerge:
needs: build
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: write
steps:
- uses: fastify/github-action-merge-dependabot@v3
```
### Excluding packages
```yml
permissions:
pull-requests: write
contents: write
steps:
- uses: fastify/github-action-merge-dependabot@v3
with:
exclude: 'react,fastify'
```
### Approving without merging
```yml
permissions:
pull-requests: write
steps:
- uses: fastify/github-action-merge-dependabot@v3
with:
approve-only: true
```
### Specifying target versions
#### Specifying target for all packages
```yml
steps:
- uses: fastify/github-action-merge-dependabot@v3
with:
target: 'minor'
```
#### Specifying target for development and production packages separately
```yml
steps:
- uses: fastify/github-action-merge-dependabot@v3
with:
target-development: 'major'
target-production: 'minor'
```
### Trigger action from workflow_dispatch event
If you need to trigger this action manually, you can use the [`workflow_dispatch`](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch) event. A use case might be that your CI runs on a seperate provider, so you would like to run this action as a result of a successful CI run.
When using the `workflow_dispatch` approach, you will need to send the PR number as part of the input for this action:
```yml
name: automerge
on:
workflow_dispatch:
inputs:
pr-number:
required: true
jobs:
automerge:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: write
steps:
- uses: fastify/github-action-merge-dependabot@v3
with:
pr-number: ${{ github.event.inputs.pr-number }}
```
You can initiate a call to trigger this event via [API](https://docs.github.com/en/rest/reference/actions/#create-a-workflow-dispatch-event):
```bash
# Note: replace dynamic values with your relevant data
curl -X POST \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token {token}" \
https://api.github.com/repos/{owner}/{reponame}/actions/workflows/{workflow}/dispatches \
-d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}'
```
## How to upgrade from `2.x` to new `3.x`
- Update the action version.
- Add the new `permissions` configuration into your workflow or, instead, you can set the permissions rules on [the repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository) or on [the organization](https://docs.github.com/en/[email protected]/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise).
- Uninstall the [dependabot-merge-action](https://github.com/apps/dependabot-merge-action) GitHub App from your repos/orgs.
- If you have customized the `api-url` you can:
- Remove the `api-url` option from your workflow.
- Turn off the [`dependabot-merge-action-app`](https://github.com/fastify/dependabot-merge-action-app/) application.
Migration example:
```diff
jobs:
build:
runs-on: ubuntu-latest
steps:
# ...
automerge:
needs: build
runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
+ contents: write
steps:
- - uses: fastify/[email protected]
+ - uses: fastify/github-action-merge-dependabot@v3
```
## Notes
- A GitHub token is automatically provided by Github Actions, which can be accessed using `github.token`. If you want to provide a token that's not the default one you can used the `github-token` input.
- Make sure to use `needs: ` to delay the auto-merging until CI checks (test/build) are passed.
- If you want to use GitHub's [auto-merge](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/automatically-merging-a-pull-request) feature but still use this action to approve Pull Requests without merging, use `approve-only: true`.
## Acknowledgements
This project is kindly sponsored by [NearForm](https://nearform.com)