DEV Community

Cover image for Use depfu and Mergify to automatically merge dependency updates
Sindre Bøyum
Sindre Bøyum

Posted on

Use depfu and Mergify to automatically merge dependency updates

Over the years, I have accumulated quite a few free time projects that one after another become stale. Security alerts keep rolling in and getting all projects up-to-date is exhausting and might feel overwhelming. Let's automate this task!

depfu

For some time, I have updated the projects manually, however this became way too time consuming. Enter depfu, a free (for open source projects) service that keeps your project's dependencies up-to-date by proposing pull requests (PRs) whenever there's a new dependency version. Renovate is a similar service, and would work the same for the purpose of this tutorial. Depfu has made my life much easier – it automatically creates PRs and the only job left for me is to approve and merge the PR. This is all well and good, however with many projects, even this process becomes tedious. Let's try to automate this task even further!

Mergify

Mergify can merge PRs automatically and lets us define rules for when that should happen. Together, depfu and Mergify can automatically keep our dependencies updated.

Actual tutorial

Step 1: Create depfu and Mergify accounts

Before we can start configuring these tools, we'll need to create one account in each service, and give the services the required permissions. Once this is done, depfu will start creating dependency update PRs in the projects that were added in the depfu GUI.

Step 2: Configure Mergify

We can configure Mergify in a .mergify.yml file placed in the root of our project. Mergify has a great deal of example configurations which is very helpful when new to the tool. This configuration is very powerful, however our task is quite simple and doesn't need much writing:

pull_request_rules:
  - name: Automatic merge for depfu pull requests
    conditions:
      - author=depfu[bot]
      - base=main # or master
    actions:
      merge:
        method: merge
Enter fullscreen mode Exit fullscreen mode

That's actually all that we need! We ensure that it was actually depfu that created the PR, then check that the PR will be merged to the main branch. Now, every pull request created by depfu will be merged automatically.

Is automating this a good idea?

We should ask ourselves if we actually want dependency updates to be merged automatically. They should be subject to review and should perhaps not be merged into the codebase uncritically. This can be mitigated by adding automated tests and to run build scripts on every commit. If required checks fail, Mergify won't merge the PR. Also, Mergify has another trick up it's sleeve: We can do a RegEx search on the PR's title. This combines neatly with the fact that depfu adds a (major), (minor) or (patch) label to the end of the PR title. We can filter out major and minor updates, and our final Mergify config now looks like this:

pull_request_rules:
  - name: Automatic merge for depfu pull requests
    conditions:
      - author=depfu[bot]
      - base=main # or master
      - title~=\(patch\)$
    actions:
      merge:
        method: merge
Enter fullscreen mode Exit fullscreen mode

PRs in my repository must be reviewed before merge

Oh, do they now? As said before, Mergify will wait until no required checks fail, and that includes required reviews. No problem (thanks, Julien Danjou)! We can automate PR reviewal as well! Let's add to .mergify.yml:

pull_request_rules:
  - name: Automatic approval for depfu pull requests
    conditions:
      - author=depfu[bot]
    actions:
      review:
        type: APPROVE

  - name: Automatic merge for depfu pull requests
    conditions:
      - author=depfu[bot]
      - base=main # or master
      - title~=\(patch\)$
    actions:
      merge:
        method: merge
Enter fullscreen mode Exit fullscreen mode

Done!

Now, with these new apps and actions, dependency update pull requests will be created, reviewed and merged 🌼automatically🌼! The GitHub Marketplace is filled with gems like these and I encourage you all to explore the list to make life easier and more automated!

Discussion (2)

Collapse
jd profile image
Julien Danjou

Excellent! You could actually also leverage Mergify to review your PR, that'd be even simpler: docs.mergify.io/actions/review/

Collapse
boyum profile image
Sindre Bøyum Author

Thanks! I'll definitely try this out!