Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for automerge in GitHub Native Dependabot #2268

Closed
UziTech opened this issue Jun 30, 2020 · 44 comments
Closed

Support for automerge in GitHub Native Dependabot #2268

UziTech opened this issue Jun 30, 2020 · 44 comments
Labels
T: feature-request Requests for new features

Comments

@UziTech
Copy link

UziTech commented Jun 30, 2020

The automerged_updates options seems to have been removed in v2 according to the docs. Is there a way to automerge v2?

@feelepxyz
Copy link
Contributor

@UziTech sadly yes, we've got this issue tracking automerging support with a few community-suggested alternatives: #1973

Will close this out as duplicate.

@UziTech
Copy link
Author

UziTech commented Jun 30, 2020

@feelepxyz I saw that issue but it is about v1. I am asking about v2

@feelepxyz
Copy link
Contributor

@UziTech ah yes sorry that issue is confusing. Here's the comment reffering to v2 support: #1823 (comment)

@UziTech
Copy link
Author

UziTech commented Jun 30, 2020

@feelepxyz It seems like the comments about automerging in v2 are spread into issues about other things. I still feel like this isn't a duplicate of any of those since none of those issues are specifically about auto-merge in v2. Some of them are also closed making it harder for a person to find them. I think it would be easier for people to find the reasoning behind the removal if this issue remained open until it is resolved.

Though I feel like a link to this #1823 (comment) is good enough for an answer for now.

@feelepxyz feelepxyz reopened this Jun 30, 2020
@UziTech
Copy link
Author

UziTech commented Jul 7, 2020

In case anyone wants the ability to auto merge you can accomplish this with github actions:

The token used must have public_repo permission for public repos or repo permission for private repos to push to the repo so the default secrets.GITHUB_TOKEN won't work.

  ...
  Automerge:
    needs: [Test, Lint]
    runs-on: ubuntu-latest
    if: |
      github.actor == 'dependabot[bot]' &&
      github.event_name == 'pull_request' &&
      startsWith(github.event.pull_request.title, 'chore(deps-dev):')
    steps:
      - name: '@dependabot merge'
        uses: actions/github-script@v2
        with:
          github-token: ${{secrets.GH_TOKEN}}
          script: |
            await github.issues.createComment({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              issue_number: context.payload.pull_request.number,
              body: '@dependabot merge'
            })

@Clumsy-Coder
Copy link

@UziTech I'm having trouble with which Personal Access Token scope to use. You said you need either public_repo or push permission. Which scope permission is that (the push permission)?

@UziTech
Copy link
Author

UziTech commented Jul 20, 2020

@Clumsy-Coder If it is a public repo this is all you should need:

image

There isn't a permission called "push" but any token that is able to push commits should work.

@Clumsy-Coder
Copy link

@UziTech I'm using a private repo. Do I need repo permission (and all it's sub permissions)?

@UziTech
Copy link
Author

UziTech commented Jul 20, 2020

Yes I believe repo permission is needed to push to private repos.

@Clumsy-Coder
Copy link

@UziTech Thanks. That worked.

@ZebraFlesh
Copy link

It seems like this solution fails with protected branches? (The dependabot user can't be granted access to push to a protected branch.)

@UziTech
Copy link
Author

UziTech commented Aug 26, 2020

@ZebraFlesh you can try using the pascalgn/automerge-action to merge with a user other than dependabot.

@ZebraFlesh
Copy link

@UziTech Thanks, that's an interesting work around. However, I'm not thrilled about consuming yet more Actions minutes because dependabot broke the merge command in v2. I'm going to stick with v1 until this is fixed.

@peaceiris
Copy link

We got the alternative here: https://twitter.com/github/status/1336360682221133827?s=20

Check out auto-merge! Now, when your branch protection rules are met, your changes approved, and your checks are green, GitHub can automatically merge your pull request for you.

@UziTech
Copy link
Author

UziTech commented Dec 9, 2020

@peaceiris Is that a button that you have to push on every pull request? This issue is more about not even having to look at the pull request or need any human interaction for merging dependency updates.

@peaceiris
Copy link

peaceiris commented Dec 9, 2020

We do not know the details yet. It will start rolling out next week. I hope we can set the auto-merge for a whole repository/account without approval.

@UziTech
Copy link
Author

UziTech commented Dec 9, 2020

According to the roadmap it will be a button that can be pressed when a PR is submitted by a person with push access. I don't think this will do anything for dependabot ☹.

github/roadmap#107

@UziTech
Copy link
Author

UziTech commented Mar 10, 2021

It seems like all of these automerge work arounds are failing now since dependabot does not have access to any secrets in the repository.

https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

@mercuriete
Copy link

as @UziTech said, we can't use personal access tokens on Github actions triggered from dependabot.
So we cant use any plugin or implement a custom solution because of that.

I think it's time to raise the priority of this bug.

Thanks for your awesome work.

@dentarg
Copy link

dentarg commented Mar 10, 2021

Looks like it could be possible to still workaround it, with the on: workflow_run: ... technique shown in https://securitylab.github.com/research/github-actions-preventing-pwn-requests?

@feelepxyz
Copy link
Contributor

👋 Sorry for the inconvenience this change has caused. We know it's a pain to rejig workflows around this new limitation but we felt it was necessary considering the potential risk.

We've put together a sample workflow for updating a dependabot pr that might be a useful reference for automerging using actions: https://github.com/dependabot/dependabot-actions-workflow/tree/main/.github/workflows

@JustArchi
Copy link

JustArchi commented May 2, 2021

I've also replaced dependabot with renovate bot, and I can recommend everybody interested doing the same. I don't know what was so difficult in renaming automerge: true to i-know-what-im-doing-and-understand-the-risks-so-automerge-please: true and keeping perfectly valid feature, but it's no longer any concern of mine.

The fact that you've decided to announce the shutdown of native Dependabot before resurrecting this feature as part of your "investigation" in #1823 (comment) was the final nail in the coffin for me. Defending your decision with that argument yet recommending people to use third-party solutions to re-enable automerge is a total hypocrisy to me.

So long dependabot, yet another great product that went downhill after acquisition.

@UziTech
Copy link
Author

UziTech commented May 3, 2021

For anyone looking for a work around here is a simple script that uses workflow_run to merge dependabot PRs:

name: "Automerge"
on:
  workflow_run:
    workflows:
      - CI
    types:
      - completed

jobs:
  Automerge:
    runs-on: ubuntu-latest
    if: |
      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success'
    steps:
      - name: 'Merge PR'
        uses: actions/github-script@v4
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const pr = await github.pulls.get({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.payload.workflow_run.pull_requests[0].number,
            });
            if (!pr.data.title.startsWith('chore(deps-dev):')) {
              console.log('Not Merged 🚫');
              console.log(`Title '${pr.data.title}' does not start with 'chore(deps-dev):'`);
            } else if (pr.data.user.login !== 'dependabot[bot]') {
              console.log('Not Merged 🚫');
              console.log(`User '${pr.data.user.login}' does not equal 'dependabot[bot]'`);
            } else {
              await github.pulls.merge({
                owner: context.repo.owner,
                repo: context.repo.repo,
                pull_number: context.payload.workflow_run.pull_requests[0].number,
              });
              console.log('Merged 🎉');
            }

You can see it in action here.

@asciimike
Copy link
Contributor

asciimike commented Jun 4, 2021

And for folks who need metadata (e.g. name of the dependency, semver, dev/prod, etc.) we have published an action that provides this and have some info on how it can be used to enable GitHub's auto-merge: https://github.com/marketplace/actions/fetch-metadata-from-dependabot-prs#enabling-auto-merge. If folks want, it can also be re-purposed for any other approval or merge flow.

@Kocal
Copy link

Kocal commented Jun 4, 2021

Nice! That's really a great news. Thanks @asciimike!

@gitfool
Copy link

gitfool commented Jun 4, 2021

@asciimike good stuff! If I understand correctly, it follows that the simplest workflow I can have to just auto approve and auto merge all dependabot PRs would be:

name: Dependabot auto-approve and auto-merge
on: pull_request_target
permissions:
  pull-requests: write
  content: write
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.0
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Auto approve
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
      - name: Auto merge
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

This would still leverage the dependabot/fetch-metadata action to validate the author and all commits are from Dependabot.

@feelepxyz
Copy link
Contributor

feelepxyz commented Jun 7, 2021

@gitfool 👍

There are a few rough edges to be aware of around enabling auto-merging. It currently only works if a PR has a branch protection enabled with at least a required review or a required CI check, and these are still outstanding.

You'll need to enable auto-merge before approving the PR if you don't have CI and only require review. Here's an issue explaining the current limitation with the gc cli.

Here's a more in-depth answer about auto-merge requirements.

@merlinnot
Copy link

If anyone is looking for a holistic approach, my company is maintaining a Merge Me! Action which works with both Dependabot and other bots: https://github.com/marketplace/actions/merge-me.

@lucacome
Copy link

lucacome commented Jul 8, 2021

I'm trying to use the fetch-metadata action, but the PR is stuck on "Attempting to auto-merge..." (see dependabot/fetch-metadata#52).
I'm thinking this because it can't merge to protected branches that have restrictions on who can push? Is there a workaround?

@dep
Copy link

dep commented Jul 9, 2021

I had to do some slight tweaks to get dependency automerges working for me:

name: Dependabot Auto-Merge
on:
  pull_request:
    branches:
      - '*'
permissions:
  pull-requests: write
  contents: write
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]'  }}
    steps:
      - name: Approve a PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
      - name: Merge PR
        uses: actions/github-script@v4
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const pr = await github.pulls.get({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.payload.pull_request.number,
            });
            if (!pr.data.title.startsWith('chore(deps):')) {
              console.log('Not Merged 🚫');
              console.log(`Title '${pr.data.title}' does not start with 'chore(deps):'`);
            } else if (pr.data.user.login !== 'dependabot[bot]') {
              console.log('Not Merged 🚫');
              console.log(`User '${pr.data.user.login}' does not equal 'dependabot[bot]'`);
            } else {
              await github.pulls.merge({
                owner: context.repo.owner,
                repo: context.repo.repo,
                pull_number: context.payload.pull_request.number,
              });
              console.log('Merged 🎉');
            }

@lucacome
Copy link

I just wanted to let people know that it's still not possible to automerge with https://github.com/marketplace/actions/fetch-metadata-from-dependabot-prs#enabling-auto-merge if you have Restrict who can push to matching branches enabled.
Dependabot can't be added to the list. 😞

@jeffwidman
Copy link
Member

Closing as this discussion has run its course. I don't see us enabling auto-merge anytime soon for the reasons mentioned above, but there are several potential workarounds described in this issue for those "who really need it".

@jeffwidman
Copy link
Member

We are starting to look at some auto-merge use cases for very specific situations. We don't have details to share publicly yet, but you can follow this issue to get notified of further updates:

Please be mindful of https://github.com/dependabot/dependabot-core#no-1-comments, and instead 👍 the top post of that issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
T: feature-request Requests for new features
Projects
None yet
Development

No branches or pull requests