Support auto merge in Dependabot #1973
Comments
|
Same here. Is anything wrong with my project configuration? https://github.com/leonardovillela/redux-zero-chat/blob/master/.dependabot/config.yml I already have enabled auto-merge in my account. As you can see the PR's are open but not auto-merged 🤔 |
|
Thanks for the feedback and sorry for the confusion here. Auto-merge will not be supported in GitHub-native Dependabot for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but right now, we’re concerned about auto-merge being used to quickly propagate a malicious package across the ecosystem. We recommend always verifying your dependencies before merging them. |
|
Okay, but I'm not using GitHub-native Dependabot, so auto merging is supposed to work, right? |
|
@leonardovillela it looks like you don't have CI set up on the repo, which is why Dependabot doesn't want to automerge: leonardovillela/redux-zero-chat#2 You need to add some CI check on pull requests, you could add a GitHub action that runs on every push. Doesn't actually have to do anything as long as the task succeeds. |
|
If you don't mind adding another GitHub Bot to the mix, I built an open source bot called Kodiak which supports auto merging pull requests. There's specific instructions for using Kodiak with Dependabot here: https://kodiakhq.com/docs/recipes#automated-dependency-updates-with-dependabot Also, there are a ton of other GitHub Bots doing similar things. Here's a non-exhaustive list: https://kodiakhq.com/docs/prior-art-and-alternatives |
|
@infin8x I understnd the security concerns and wanting to make this something we have to do intentionally, but I haven't found a bot that can distinguish the pacakge name and semver bump before merging. If this isn't going to be supported in dependabot directly is there a way to add labels based on names and semver? An example of our current config: We don't want to automerge everything (or even most things) so automerging based on a label applied to every update doesn't work, we'd need to be able to label based on the same criteria we used to auto merge with. |
|
@infin8x I understand the security concern but we were hoping to set our target_branch to something that is not our default branch and then auto-merge into that branhc to limit the number of PRs that get opened per project. Many integration services like Chromatic, Heroku, etc. have costs associated with each PR that gets created in a repo so this is an important capability for us. I think you need to reconsider this policy to at least allow auto-merge on non-default branches. |
|
@chdsbd Can Kodiak distinguish between patch, minor, and major versions? |
|
@danielbachhuber Sadly not. There was a discussion about adding that kind of metadata in a structured form via probot metadata, but I don't think that's gone anywhere yet. #2294 would also make automatic updates based on type easy. A potentially less robust solution would be to parse the update type from the PR description. Assuming the following example is consistent I think a github action could label the PR based on the PR description. Here's a example script that could probably be integrated into some GitHub Action or bot: https://runkit.com/chdsbd/5f3c822e5eda78001ac183df const semver = require('semver')
const PR_DESCRIPTION = `\
Bumps eslint from 7.6.0 to 7.7.0.
Release notes
Sourced from ...`
const regex = /^Bumps\s.*\sfrom\s(.*)\sto\s(.*)\./;
/* determine the update type (major, premajor, minor, preminor, patch, prepatch, or prerelease) from a dependabot PR */
function parseUpdateType(x) {
const match = x.match(regex)
const prevVersion = match[1]
const newVersion = match[2]
return semver.diff(prevVersion, newVersion)
}
parseUpdateType(PR_DESCRIPTION)
/* equals "minor" */ |
|
In our org we have automerge setup for when branch conditions are met. It saves a few clicks in the UI and also means that if CI is retriggered it will merge after CI is green. Saves have to type |
That makes me wonder if you could setup a GHA to auto comment |
|
I can do that but just means adding another github action all over the place, previously we were able to control this in org settings in dependabot which was nice. |
I must say this is the least helpfull feature migration help I have ever encountered. What about putting a link to somewhere where you can read about what to do? Preferably a one-click-to deply action that just works.
|
|
Edit: Use this instead: https://github.com/SimpleJWT/drf-SimpleJWT-React/blob/7fe37747f9b4385faeaf5ec57b650ff21d82c1ae/.github/workflows/automerge.yml#L1 It takes advantage of wait for status check GitHub action and automerge GitHub action (which can delete branch). Old Response: For anyone looking for auto-merge, I believe there is a marketplace GitHub action that can do it for you, but I've also created a GitHub action file here: cookiecutter/cookiecutter-django#2868 but credit goes to the Medium blog post that I took the code from. I can't seem to find the blog post anymore, but I hope that file helps anyone who want further configuration! (EDIT: Found it! https://medium.com/@toufik.airane/automerge-github-dependabot-alerts-with-github-actions-7cd6f5763750): Quickly, here're the file contents: |
|
Does anyone know if this will auto-merge whatever PR from a user who changed their username to |
|
I agree that dependabot should not set auto-merge due to the security issues it raises. If you really know what you're doing and really want auto-merge, just use something like https://github.com/marketplace/actions/enable-automerge-action |
jeffwidman
changed the title
|
For the sake of discussion, what's the difference between the security concerns of Auto Merge versus that of a human pressing Merge? Wouldn't the human be just as oblivious to new vulnerabilities in the updated dependency as dependabot? What if the repo already has required checks in place in the PR actions that run security scans? |
|
An adult can read the source code changes for the dependency before merging the PR. It's true that not all humans will be able to understand the changes, but a human could. Also, if you wait a bit on a dependency update, it's possible that if there is a problem with the update, some other human will report about it in a place the human could discover it. A baby just tapping on buttons and triggering a merge without understanding the consequences of their actions otoh is dangerous. They're cute 👶, but dangerous if left unattended. |
|
If the reason this isn't added is because of security concerns, couldn't there be an option to delay dependency updates by some amount of time, e.g. 1 month after release, so that new dependency updates are at least a month old and can be safely auto-merged? |
|
Depfu has an option similar to this: https://docs.depfu.com/article/36-reasonably-up-to-date |
|
🍿 |
@jsoref I see your point, but (at least in my experience) nobody checks the source changes of their upstream deps anyway. Though we can (and probably should), we don't. I don't know. It's something to consider. 🤷 |
Is this an argument against auto-merging, or against updating third-party dependencies in general? |
This comment was marked as resolved.
This comment was marked as resolved.
|
Thank you for clarifying :) As an aside, I've setup Dependabot auto-merging with a simple GitHub Action, though I would still like to see this as a native option for Dependabot. name: Dependabot auto-merge
on: pull_request
permissions:
pull-requests: write
contents: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2.1.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Enable auto-merge for Dependabot PRs
run: gh pr merge --auto --rebase "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |
Isn't that what status checks are? |
|
Status checks are automated. The wording implies a human reasoning through things. Status checks generally don't check for malicious code, just correctness for certain basic cases. |
|
@shepherdjerred I've used your Github Action, but my org requires two reviews before a PR can be merged. I've added a Ruleset for that and added Dependabot to the Bypass list, but PRs still aren't merged. Ruleset PR |
|
@piotrjak Renovate gets around this with GitHub apps:
There might be similar bots for Dependabot. A cursory search found this: I'd recommend checking out Renovate. I appreciate the Dependabot project, but Renovate is much more feature rich. Anyway, this issue isn't really related to this thread. You have auto-merge enabled; you're now fighting GitHub's auto-merge feature. |
and others
For my private repository it's not possible to add the auto merge feature. I added dependabot via the web interface and I receive PRs but the PRs are not merged automatically.
After this did not work I also tried via the dependabot config. The behaviour is the same. The check runs daily and creates PRs but does not merge them.
The text was updated successfully, but these errors were encountered: