Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support auto merge in Dependabot #1973

Open
DominicBoettger opened this issue Jun 2, 2020 · 104 comments
Open

Support auto merge in Dependabot #1973

DominicBoettger opened this issue Jun 2, 2020 · 104 comments
Labels
auto-merge F: preview-migration Issue relates to migrating from Dependabot Preview Keep Exempt this from being marked by stalebot service 💁 Relates to Dependabot features GitHub provides

Comments

@DominicBoettger
Copy link

For my private repository it's not possible to add the auto merge feature. I added dependabot via the web interface and I receive PRs but the PRs are not merged automatically.

After this did not work I also tried via the dependabot config. The behaviour is the same. The check runs daily and creates PRs but does not merge them.

version: 1
update_configs:
  - package_manager: "javascript"
    directory: "/"
    update_schedule: "daily"
    automerged_updates:
      - match:
          dependency_type: "development"
          # Supported dependency types:
          # - "development"
          # - "production"
          # - "all"
          update_type: "all"
          # Supported updates to automerge:
          # - "security:patch"
          #   SemVer patch update that fixes a known security vulnerability
          # - "semver:patch"
          #   SemVer patch update, e.g. > 1.x && 1.0.1 to 1.0.3
          # - "semver:minor"
          #   SemVer minor update, e.g. > 1.x && 2.1.4 to 2.3.1
          # - "in_range"
          #   matching the version requirement in your package manifest
          # - "all"
      - match:
          dependency_type: "production"
          update_type: "all"
@leonardovillela
Copy link

leonardovillela commented Jun 8, 2020

Same here. Is anything wrong with my project configuration? https://github.com/leonardovillela/redux-zero-chat/blob/master/.dependabot/config.yml

I already have enabled auto-merge in my account. As you can see the PR's are open but not auto-merged 🤔

@infin8x
Copy link
Contributor

infin8x commented Jun 8, 2020

Thanks for the feedback and sorry for the confusion here.

Auto-merge will not be supported in GitHub-native Dependabot for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but right now, we’re concerned about auto-merge being used to quickly propagate a malicious package across the ecosystem. We recommend always verifying your dependencies before merging them.

@leonardovillela
Copy link

Okay, but I'm not using GitHub-native Dependabot, so auto merging is supposed to work, right?

@feelepxyz
Copy link
Contributor

@leonardovillela it looks like you don't have CI set up on the repo, which is why Dependabot doesn't want to automerge: leonardovillela/redux-zero-chat#2

You need to add some CI check on pull requests, you could add a GitHub action that runs on every push. Doesn't actually have to do anything as long as the task succeeds.

@chdsbd
Copy link

chdsbd commented Jun 19, 2020

If you don't mind adding another GitHub Bot to the mix, I built an open source bot called Kodiak which supports auto merging pull requests.

There's specific instructions for using Kodiak with Dependabot here: https://kodiakhq.com/docs/recipes#automated-dependency-updates-with-dependabot

Also, there are a ton of other GitHub Bots doing similar things. Here's a non-exhaustive list: https://kodiakhq.com/docs/prior-art-and-alternatives

@jrjohnson
Copy link

@infin8x I understnd the security concerns and wanting to make this something we have to do intentionally, but I haven't found a bot that can distinguish the pacakge name and semver bump before merging. If this isn't going to be supported in dependabot directly is there a way to add labels based on names and semver?

An example of our current config:

automerged_updates:
    - match:
        dependency_name: "eslint"
    - match:
        update_type: "semver:minor"
        dependency_name: "@fortawesome/free-brands-svg-icons"

We don't want to automerge everything (or even most things) so automerging based on a label applied to every update doesn't work, we'd need to be able to label based on the same criteria we used to auto merge with.

@seanconnollydev
Copy link

@infin8x I understand the security concern but we were hoping to set our target_branch to something that is not our default branch and then auto-merge into that branhc to limit the number of PRs that get opened per project. Many integration services like Chromatic, Heroku, etc. have costs associated with each PR that gets created in a repo so this is an important capability for us. I think you need to reconsider this policy to at least allow auto-merge on non-default branches.

@danielbachhuber
Copy link

@chdsbd Can Kodiak distinguish between patch, minor, and major versions?

@chdsbd
Copy link

chdsbd commented Aug 19, 2020

@danielbachhuber Sadly not.

There was a discussion about adding that kind of metadata in a structured form via probot metadata, but I don't think that's gone anywhere yet.

#2294 would also make automatic updates based on type easy.

A potentially less robust solution would be to parse the update type from the PR description.

Assuming the following example is consistent I think a github action could label the PR based on the PR description.

Bumps eslint from 7.6.0 to 7.7.0.

...more content...

Here's a example script that could probably be integrated into some GitHub Action or bot:

https://runkit.com/chdsbd/5f3c822e5eda78001ac183df

const semver = require('semver')

const PR_DESCRIPTION = `\
Bumps eslint from 7.6.0 to 7.7.0.
Release notes
Sourced from ...`

const regex = /^Bumps\s.*\sfrom\s(.*)\sto\s(.*)\./;

/* determine the update type (major, premajor, minor, preminor, patch, prepatch, or prerelease) from a dependabot PR */
function parseUpdateType(x) {
  const match = x.match(regex)
  const prevVersion = match[1]
  const newVersion = match[2]
  return semver.diff(prevVersion, newVersion)
}

parseUpdateType(PR_DESCRIPTION)
/* equals "minor" */

@timja
Copy link

timja commented Sep 22, 2020

In our org we have automerge setup for when branch conditions are met.
And we always require review, we like just being able to approve a PR and then it automatically merges.

It saves a few clicks in the UI and also means that if CI is retriggered it will merge after CI is green.

Saves have to type @dependabot merge which isn't too bad but would be nice to get automerge back

@nemchik
Copy link

nemchik commented Sep 22, 2020

In our org we have automerge setup for when branch conditions are met.
And we always require review, we like just being able to approve a PR and then it automatically merges.

It saves a few clicks in the UI and also means that if CI is retriggered it will merge after CI is green.

Saves have to type @dependabot merge which isn't too bad but would be nice to get automerge back

That makes me wonder if you could setup a GHA to auto comment @dependabot merge when a PR is approved in review. Doesn't solve people wanting unattended auto-merge, but might solve your use case.

@timja
Copy link

timja commented Sep 22, 2020

I can do that but just means adding another github action all over the place, previously we were able to control this in org settings in dependabot which was nice.

@mathiasrw
Copy link

There is no automerging support in GitHub-native Dependabot [...] Several 3rd-party GitHub Actions and bots can replicate the automerge feature.

I must say this is the least helpfull feature migration help I have ever encountered. What about putting a link to somewhere where you can read about what to do?

Preferably a one-click-to deply action that just works.

image

@Andrew-Chen-Wang
Copy link

Andrew-Chen-Wang commented Oct 1, 2020

Edit: Use this instead: https://github.com/SimpleJWT/drf-SimpleJWT-React/blob/7fe37747f9b4385faeaf5ec57b650ff21d82c1ae/.github/workflows/automerge.yml#L1

It takes advantage of wait for status check GitHub action and automerge GitHub action (which can delete branch).


Old Response:

For anyone looking for auto-merge, I believe there is a marketplace GitHub action that can do it for you, but I've also created a GitHub action file here: cookiecutter/cookiecutter-django#2868 but credit goes to the Medium blog post that I took the code from. I can't seem to find the blog post anymore, but I hope that file helps anyone who want further configuration! (EDIT: Found it! https://medium.com/@toufik.airane/automerge-github-dependabot-alerts-with-github-actions-7cd6f5763750):

Quickly, here're the file contents:

name: "Dependabot Automerge - Action"

on:
  pull_request:

jobs:
  worker:
    runs-on: ubuntu-latest

    if: github.actor == 'dependabot[bot]'
    steps:
      - name: automerge
        uses: actions/[email protected]
        with:
          script: |
            github.pullRequests.createReview({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              pull_number: context.payload.pull_request.number,
              event: 'APPROVE'
            })
            github.pullRequests.merge({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              pull_number: context.payload.pull_request.number
            })
          github-token: ${{github.token}}

@mathiasrw
Copy link

Does anyone know if this will auto-merge whatever PR from a user who changed their username to dependabot[bot]?

@mwaddell
Copy link
Contributor

I agree that dependabot should not set auto-merge due to the security issues it raises. If you really know what you're doing and really want auto-merge, just use something like https://github.com/marketplace/actions/enable-automerge-action

@jeffwidman jeffwidman added the service 💁 Relates to Dependabot features GitHub provides label Mar 10, 2023
@abdulapopoola abdulapopoola moved this to Untriaged in Dependabot Mar 30, 2023
@jeffwidman jeffwidman changed the title Dependabot auto merge not working Support auto merge in Dependabot May 12, 2023
@joriswitteman
Copy link

joriswitteman commented Jul 18, 2023

For the sake of discussion, what's the difference between the security concerns of Auto Merge versus that of a human pressing Merge? Wouldn't the human be just as oblivious to new vulnerabilities in the updated dependency as dependabot? What if the repo already has required checks in place in the PR actions that run security scans?

@jsoref
Copy link
Contributor

jsoref commented Jul 18, 2023

An adult can read the source code changes for the dependency before merging the PR.

It's true that not all humans will be able to understand the changes, but a human could.

Also, if you wait a bit on a dependency update, it's possible that if there is a problem with the update, some other human will report about it in a place the human could discover it.

A baby just tapping on buttons and triggering a merge without understanding the consequences of their actions otoh is dangerous. They're cute 👶, but dangerous if left unattended.

@shepherdjerred
Copy link

shepherdjerred commented Jul 18, 2023

If the reason this isn't added is because of security concerns, couldn't there be an option to delay dependency updates by some amount of time, e.g. 1 month after release, so that new dependency updates are at least a month old and can be safely auto-merged?

@andyw8
Copy link

andyw8 commented Jul 21, 2023

Depfu has an option similar to this: https://docs.depfu.com/article/36-reasonably-up-to-date

@mynkow
Copy link

mynkow commented Apr 3, 2024

🍿

@jonjanego jonjanego added the Keep Exempt this from being marked by stalebot label May 2, 2024
@pwbriggs
Copy link

pwbriggs commented May 19, 2024

An adult can read the source code changes for the dependency before merging the PR.

It's true that not all humans will be able to understand the changes, but a human could.

@jsoref I see your point, but (at least in my experience) nobody checks the source changes of their upstream deps anyway. Though we can (and probably should), we don't.

I don't know. It's something to consider. 🤷

@shepherdjerred
Copy link

@jsoref I see your point, but (at least in my experience) nobody checks the source changes of their upstream deps. Though we can (and probably should), we don't.

I don't know. It's something to consider. 🤷

Is this an argument against auto-merging, or against updating third-party dependencies in general?

@pwbriggs

This comment was marked as resolved.

@shepherdjerred
Copy link

shepherdjerred commented May 19, 2024

Thank you for clarifying :)

As an aside, I've setup Dependabot auto-merging with a simple GitHub Action, though I would still like to see this as a native option for Dependabot.

name: Dependabot auto-merge
on: pull_request


permissions:
  pull-requests: write
  contents: write


jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/[email protected]
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        run: gh pr merge --auto --rebase "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Heiss added a commit to Heiss/digital-garden that referenced this issue May 21, 2024
@justinmchase
Copy link

We recommend always verifying your dependencies before merging them.

Isn't that what status checks are?

@jsoref
Copy link
Contributor

jsoref commented Jun 18, 2024

Status checks are automated. The wording implies a human reasoning through things.

Status checks generally don't check for malicious code, just correctness for certain basic cases.

@piotrjak
Copy link

piotrjak commented Jul 4, 2024

@shepherdjerred I've used your Github Action, but my org requires two reviews before a PR can be merged. I've added a Ruleset for that and added Dependabot to the Bypass list, but PRs still aren't merged.
I think this may be related to https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository - "The actor can then choose to bypass any branch protections and merge that pull request.", but I don't know how to make Dependabot bypass the protections

Ruleset
image

PR
image

@shepherdjerred
Copy link

shepherdjerred commented Jul 7, 2024

@piotrjak Renovate gets around this with GitHub apps:

There might be similar bots for Dependabot. A cursory search found this:

I'd recommend checking out Renovate. I appreciate the Dependabot project, but Renovate is much more feature rich.

Anyway, this issue isn't really related to this thread. You have auto-merge enabled; you're now fighting GitHub's auto-merge feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-merge F: preview-migration Issue relates to migrating from Dependabot Preview Keep Exempt this from being marked by stalebot service 💁 Relates to Dependabot features GitHub provides
Projects
Status: Planned
Development

No branches or pull requests