Have you ever suffered from errors when installing your project's dependencies with NPM? Or, using Dependabot, did you let a bunch of dependency alerts accumulate that have been updated for months?
So I think this little tutorial will help you!
But first…
What is Dependabot?
According to its own description, Dependabot is a bot that helps you keep your dependencies up to date. Every day, it checks your dependency files for outdated requirements and opens individual PRs for any it finds. You review, merge, and get to work on the latest, most secure releases.
How to install dependabots in my repository
Inside your Github repository, go to:
Settings > [ Security ] > _Code security and analysis
_ and then, activate the “Dependabot version updates”.
click Configure and the code you will see will look like this:
version: 2
updates:
- package-ecosystem: npm
directory: '/'
schedule:
interval: daily
time: '02:00'
open-pull-requests-limit: 10
What is configured in this first code is that it will run daily at 2:00 am.
Here a BONUS setting if you want to change the branch it will open the PR and the label if you want to change. You can manually add them at the end of the code above.
# BONUS
# Raise pull requests for version updates
# to pip against the `develop` branch
target-branch: "dev"
# Labels on pull requests for version updates only
labels:
- "dependecies"
It will be in the root of your repository like this:
Okay, your repository is already configured with Dependabot. So daily you will check if the dependencies of this project are outdated.
There's only one problem: if you don't merge it, it will continue to be just a PR.
How to automate dependabot merge
With Github Actions we were able to automate the process of merging PRs created by Dependabot.
Go to Actions inside your Github repository and then New Workflow.
There are several Actions already ready. You can choose any template and then delete all the content and paste this code:
name: 'Dependabot Automerge - Action'
on:
pull_request:
permissions:
pull-requests: write
issues: write
jobs:
worker:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: 'Wait for status checks'
id: waitforstatuschecks
uses: WyriHaximus/github-action-wait-for-status@v1.2.0
with:
ignoreActions: worker,WIP
checkInterval: 60
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: 'Automerge'
uses: pascalgn/automerge-action@v0.11.0
if: steps.waitforstatuschecks.outputs.status == 'success'
env:
MERGE_LABELS: ''
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
MERGE_DELETE_BRANCH: true
With it, every time a pull request is opened by Dependabot it will be checked if there was no conflict with the dependency update and it will merge if everything is ok.
So your repository will look like this:
Now your project updates its dependencies automatically!
References:
Top comments (0)