Skip to content

Instantly share code, notes, and snippets.

@xt0rted
Last active November 12, 2024 16:32
Show Gist options
  • Save xt0rted/46475099dc0a70ba63e16e3177407872 to your computer and use it in GitHub Desktop.
Save xt0rted/46475099dc0a70ba63e16e3177407872 to your computer and use it in GitHub Desktop.
Auto-merge Dependabot PRs for minor & patch updates

README

Note

I'm now using a newer version of this workflow that supports an allow list for individual packages and update groups which can be found here:

If you're using a workflow like this and need to manage secrets in multiple repos xt0rted/secrets-sync can simplify that. This lets you add secrets to one repo and sync them to many repos. There's also a template you can fork to get started quickly with it.

Personal Access Token

This workflow requires the Allow auto-merge setting to be enabled and ideally a branch protection rule to ensure your other workflows pass before merging.

image

If the default GITHUB_TOKEN is used any workflows that would be triggered by the merge won't run, to work around that a PAT needs to be used.

The DEPENDABOT_TOKEN needs repo & read:org scopes and should be added as both an Actions and Dependabot scret for the org or repo where this will be ran.

GitHub App

An alternative method is to use a GitHub App. To do this you'll need to go to https://github.com/settings/apps/new or https://github.com/organizations/<org>/settings/apps/new and create an app with the following settings:

  1. Uncheck Expire user authorization tokens
  2. Uncheck Webhook Active
  3. Set the following Repository permissions
    • Contents: Read & Write
    • Metadata: Read-only
    • Pull requests: Read-only

Once created you'll need to generate a private key.

You'll then need to install the app to your account or org and add Action & Dependabot secrets for both the BOT_APP_ID and BOT_PRIVATE_KEY values which correspond to the App ID at the top of the page, and the private key you just created.

The final step is to make sure you've enabled auto-merge PRs on the repo.

image

# https://gist.github.com/xt0rted/46475099dc0a70ba63e16e3177407872
name: Dependabot auto-merge
on: pull_request_target
permissions:
contents: read
pull-requests: read
jobs:
dependabot:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Generate token
id: generate_token
uses: tibdex/[email protected]
with:
app_id: ${{ secrets.BOT_APP_ID }}
private_key: ${{ secrets.BOT_PRIVATE_KEY }}
- name: Dependabot metadata
id: dependabot_metadata
uses: dependabot/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Authenticate cli
run: echo "${{ steps.generate_token.outputs.token }}" | gh auth login --with-token
- name: Enable auto-merge for Dependabot PRs
if: steps.dependabot_metadata.outputs.dependency-type == 'direct:development' && (steps.dependabot_metadata.outputs.update-type == 'version-update:semver-minor' || steps.dependabot_metadata.outputs.update-type == 'version-update:semver-patch')
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
# https://gist.github.com/xt0rted/46475099dc0a70ba63e16e3177407872
name: Dependabot auto-merge
on: pull_request_target
permissions:
contents: read
pull-requests: read
jobs:
dependabot:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Dependabot metadata
id: dependabot_metadata
uses: dependabot/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Authenticate cli with a PAT
run: echo "${{ secrets.DEPENDABOT_TOKEN }}" | gh auth login --with-token
- name: Enable auto-merge for Dependabot PRs
if: steps.dependabot_metadata.outputs.dependency-type == 'direct:development' && (steps.dependabot_metadata.outputs.update-type == 'version-update:semver-minor' || steps.dependabot_metadata.outputs.update-type == 'version-update:semver-patch')
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
@xt0rted
Copy link
Author

xt0rted commented Nov 12, 2024

@nlykkei When a workflow is triggered by dependabot only the dependabot secrets are passed to it, but if the workflow is triggered by anything else (person, pat, or github app) then the actions secrets are passed in. Pushing to a dependabot branch or manually re-running a workflow requires the secrets to be in both lists, otherwise the dependabot list should be fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment