Raw Record Source

{
  "$type": "site.standard.document",
  "canonicalUrl": "https://rednafi.com/misc/automerge-dependabot-prs-on-github/",
  "description": "Automatically merge Dependabot pull requests using GitHub Actions. Configure branch protection and status checks for safe automated dependency updates.",
  "path": "/misc/automerge-dependabot-prs-on-github/",
  "publishedAt": "2022-07-07T00:00:00.000Z",
  "site": "at://did:plc:fgtm2c26vfcj74rfmeggbyqj/site.standard.publication/3mnl6f7ob462z",
  "tags": [
    "GitHub",
    "DevOps",
    "CLI"
  ],
  "textContent": "Whether I'm trying out a new tool or just prototyping with a familiar stack, I usually\ncreate a new project on GitHub and run all the experiments there. Some examples of these\nare:\n\n- [rubric]: linter config initializer for Python\n- [exert]: declaratively apply converter functions to class attributes\n- [hook-slinger]: generic service to send, retry, and manage webhooks\n- [think-async]: exploring cooperative concurrency primitives in Python\n- [epilog]: container log aggregation with Elasticsearch, Kibana & Filebeat\n\nWhile many of these prototypes become full-fledged projects, most end up being just one-time\njournies. One common theme among all of these endeavors is that I always include\ninstructions in the readme.md on how to get the project up and running - no matter how\nsmall it is. Also, I tend to configure a rudimentary CI pipeline that runs the linters and\ntests. GitHub Actions and [Dependabot] make it simple to configure a basic CI workflow.\nDependabot keeps the dependencies fresh and makes pull requests automatically when there's a\nnew version of a dependency used in a project.\n\nThings can get quickly out of hand if you've got a large collection of repos where the\nautomated CI runs periodically. Every now and then, I get a sizable volume of PRs in these\nfairly stale repos that I still want to keep updated. Merging these manually is a chore.\nLuckily, there are [multiple ways to automatically merge PRs] that GitHub offers. The\nworkflow that is documented here is the one I happen to like the most. I also think that\nthis process leads to the path of the least surprise. Instead of depending on a bunch of\nGitHub settings, we'll write a [GitHub Actions workflow to enable auto-merge] to automate\nthe process.\n\nFirst, you'll need to turn on the auto-merge option from the repository settings. To do so,\ngo to the repo's _settings_ tab and turn on the _Allow auto-merge_ option from the _Pull\nRequests_ section:\n\n![GitHub repository settings showing Allow auto-merge checkbox in Pull Requests section][image_1]\n\nNow, you probably don't want to mindlessly merge every pull request Dependabot throws at\nyou. You most likely want to make sure that a pull request triggers certain tests and it'll\nbe merged only if all of those checks pass. To do so, you can turn on [branch protection].\nFrom the _settings_ panel, select _Branches_ on the left panel:\n\n![GitHub settings Branches panel for adding branch protection rules][image_2]\n\nOnce you've selected the tab, add a branch protection rule to the target branch against\nwhich Dependabot will send the pull requests:\n\n![GitHub branch protection rule configuration with status checks enabled][image_3]\n\nIn this case, I'm adding the protection layer to the main branch. I've turned on the\n_Require status checks to pass before merging_ toggle and added the build step to the list\nof status checks that are required. Here, you can select any job from your CI files in the\n.github/workflows directory:\n\n![GitHub status checks dropdown showing build job selected as required check][image_4]\n\nOnce this is done, you can drop the following CI file in the .github/workflows directory\nof your repo. It's the same [automerge workflow file] that's currently living inside this\nsite's CI folder.\n\nFrom now on, every time Dependabot sends a merge request, the checks will be triggered and\nif all the mandatory checks pass, the automerge.yml workflow will merge it into the target\nbranch.\n\n\n\n\n[rubric]:\n    https://github.com/rednafi/rubric\n\n[exert]:\n    https://github.com/rednafi/exert\n\n[hook-slinger]:\n    https://github.com/rednafi/hook-slinger\n\n[think-async]:\n    https://github.com/rednafi/think-async\n\n[epilog]:\n    https://github.com/rednafi/epilog\n\n[dependabot]:\n    https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates\n\n[multiple ways to automatically merge PRs]:\n    https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request\n\n[github actions workflow to enable auto-merge]:\n    https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request\n\n[branch protection]:\n    https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches\n\n[automerge workflow file]:\n    https://github.com/rednafi/reflections/blob/master/.github/workflows/automerge.yml\n\n[image_1]:\n    https://blob.rednafi.com/static/images/automerge_dependabot_prs_on_github/img_1.png\n\n[image_2]:\n    https://blob.rednafi.com/static/images/automerge_dependabot_prs_on_github/img_2.png\n\n[image_3]:\n    https://blob.rednafi.com/static/images/automerge_dependabot_prs_on_github/img_3.png\n\n[image_4]:\n    https://blob.rednafi.com/static/images/automerge_dependabot_prs_on_github/img_4.png",
  "title": "Automerge Dependabot PRs on GitHub"
}