15

Following "Dependabot is moving natively into GitHub!", I had to update my dependabot config files to use version 2 format.

My .dependabot/config.yaml did look like:

version: 1
update_configs:
  - package_manager: "python"
    directory: "/"
    update_schedule: "live"
    automerged_updates:
      - match:
          dependency_type: "all"
          update_type: "all"

I've got the following working:

version: 2
updates:
- package-ecosystem: pip
  directory: "/"
  schedule:
    interval: daily

but I can't seem to add the automerge option again (when checking with the dependabot validator)?

andyandy
  • 1,384
  • 2
  • 15
  • 25
  • 1
    Sounds like they may be holding off this feature for now: https://github.com/dependabot/dependabot-core/issues/1973 – andyandy Sep 29 '20 at 11:54
  • 1
    You should add this as an answer – riQQ Sep 29 '20 at 19:47
  • Besides, just a heads up, this feature will never be added to Dependabot on GitHub. Check the answer by @milton-castro – Jarmos Dec 02 '20 at 11:03
  • Looks like GitHub does not intend to add it as a feature _directly_ to Dependabot, but they nevertheless have officially documented how to do it with an [Actions workflow](https://stackoverflow.com/a/68365564/418413). – kojiro Jul 13 '21 at 15:44

3 Answers3

12

This is now an officially documented feature. You can approve a Dependabot pull request and set it to auto-merge with a GitHub Actions workflow like…

name: Dependabot auto-approve
on: pull_request_target
    
permissions:
  contents: write
  pull-requests: write
    
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Update: CODEOWNERS does allow negation after all

If you use code owners and the branch is protected, you may find this will still wait for code owner review to merge. You can require codeowner review for all but the relevant files with a .github/CODEOWNERS file something like this:

* owner1 owner2 @org/team1
setup.cfg  # setup.cfg is not owned
kojiro
  • 74,557
  • 19
  • 143
  • 201
  • 4
    Two caveats: 1. You have to enable auto-merge in your repo settings, 2. You have to protect the target branch with “checks must pass before merge”. If you don’t do both of these the command line above (for some reason) merges the PR as soon as it runs – mxcl Aug 31 '21 at 12:54
  • 1
    @mxcl The workflow can be ordered and set up dependencies. Assume there is a build and automerge workflow, you can set the automerge run after build workflow result is successful. – Hantsy Oct 19 '21 at 04:07
  • @mxcl Could you please provide a link to a documentation or implementation of the to how "toprotect the target branch with “checks must pass before merge”? – ak76 May 13 '22 at 13:36
  • They're tucked away under a feature called "protected branches". https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging – kojiro May 13 '22 at 14:08
9

Here is one solution that doesn't require any additional marketplace installations (originally found here). Simply create a new GitHub workflow (e.g. .github/workflows/dependabotautomerge.yml) containing:

name: "Dependabot Automerge - Action"

on:
  pull_request:

jobs:
  worker:
    runs-on: ubuntu-latest

    if: github.actor == 'dependabot[bot]'
    steps:
      - name: automerge
        uses: actions/github-script@0.2.0
        with:
          script: |
            github.pullRequests.createReview({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              pull_number: context.payload.pull_request.number,
              event: 'APPROVE'
            })
            github.pullRequests.merge({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              pull_number: context.payload.pull_request.number
            })
          github-token: ${{github.token}}

There are also various third-party solutions available on GitHub Marketplace.

andyandy
  • 1,384
  • 2
  • 15
  • 25
  • 1
    That code snippet should be credited. Here's the original source: https://secopslab.medium.com/automerge-github-dependabot-alerts-with-github-actions-7cd6f5763750 – Jarmos Dec 02 '20 at 11:23
  • Is that the original source for the officially-documented approach? https://stackoverflow.com/a/68365564/418413 – kojiro Jul 13 '21 at 15:45
  • (Probably not, since the officially documented approach is substantially different.) – kojiro Jul 13 '21 at 15:52
6

Auto-merge was disabled on the Dependabot into GitHub:

Auto-merge will not be supported in GitHub-native Dependabot for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but right now, we’re concerned about auto-merge being used to quickly propagate a malicious package across the ecosystem. We recommend always verifying your dependencies before merging them.

There are some hacks to accomplish this job, you can check GitHub dependabot-core issue #1973 for some ideas.

Milton Castro
  • 1,557
  • 11
  • 14