In the ever-evolving world of software engineering, automating repetitive and mundane tasks can help us focus on more important things. One such task that can be automated is merging Dependabot pull requests (PRs) once your Continuous Integration/Continuous Deployment (CI/CD) process has run successfully. However, to get there, you need to have a strong foundation of proper CI/CD processes. That means having linting, building, and testing functions set up to ensure that your code is always functioning as expected.
For those who have already put in the work to set up proper CI/CD processes, automating Dependabot PR merges can save time and increase efficiency. By setting up this automation, you can avoid the tedious and time-consuming task of manually merging these PRs while ensuring that the new dependencies added won’t cause any issues with your codebase.
The example below is primarily for npm but can be applied to yarn, or I even use it in differing languages such as ruby and others. The first thing you’ll need to ensure is that you have the proper
dependabot.yml file configuration in place to include what package ecosystems you want to maintain.
version: 2 updates: - package-ecosystem: 'npm' directory: '/' open-pull-requests-limit: 25 schedule: interval: 'daily' - package-ecosystem: 'github-actions' directory: '/' open-pull-requests-limit: 25 schedule: interval: 'daily'
Once you have outlined what package ecosystem you want to turn Dependabot on for, you’ll then need to create a
.github/workflows/ci.yml file or include this to whatever Github Actions task you use for pull request PR’s to start the automation. Ensure to include the necessary permissions options to grant it rights to pull-requests and contents related rights access. Then you’ll want to create a job that tests your build, linting and or even testing when possible to ensure the dependabot fails when it generates the PR.
name: Continous Integration on: pull_request: permissions: pull-requests: write contents: write jobs: build: name: 'Build 📦' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Cache uses: actions/cache@v3 with: path: | **/public **/.cache key: cache - name: Use Node.js uses: actions/setup-node@v3 with: node-version: 16.x cache: 'npm' - run: npm ci - run: npm run lint - run: npm run build --if-present - run: npm run test dependabot: name: 'Dependabot' needs: [build] runs-on: ubuntu-latest if: $ steps: - name: Dependabot metadata id: metadata uses: dependabot/[email protected] with: github-token: '$' - name: Enable auto-merge for Dependabot PRs run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: $ GITHUB_TOKEN: $
Finally what makes all of this work is having a dependabot Github Actions job that is dependent on your build job and checks to make sure your github.actor is the dependabot bot itself before finally deciding to merge the PR automagically. The dependency on build in the above example ensures that the merge check only occurs after your build and tests pass prior to auto merging dependencies.
For a cleaner version of what the above yaml files should look like, I’m including a link to a public gist that shows the proper if statement and environment variables in Github Actions.
As engineers, we must remember that our job is to eventually make our jobs obsolete. Automating tasks like this allows us to focus on more complex tasks and continuously improve our codebase. The goal is to streamline our development process to the point where we can focus on more innovative tasks that drive our projects forward.
In conclusion, automating the merging of Dependabot PRs can be a useful tool for those with the proper CI/CD processes in place. But we must also remember to continue to push ourselves to improve and automate other aspects of our development process, ultimately freeing ourselves to focus on the more challenging and rewarding aspects of software engineering.