How to autoupdate your repository dependences with Dependabot on Github

jokenpo

Eduardo Florêncio

Posted on August 30, 2022

How to autoupdate your repository dependences with Dependabot on Github

Have you ever suffered from errors when installing your project's dependencies with NPM? Or, using Dependabot, did you let a bunch of dependency alerts accumulate that have been updated for months?

So I think this little tutorial will help you!

But first…

What is Dependabot?

According to its own description, Dependabot is a bot that helps you keep your dependencies up to date. Every day, it checks your dependency files for outdated requirements and opens individual PRs for any it finds. You review, merge, and get to work on the latest, most secure releases.

How to install dependabots in my repository

Inside your Github repository, go to:
Settings > [ Security ] > _Code security and analysis
_
and then, activate the “Dependabot version updates”.
click Configure and the code you will see will look like this:

version: 2
updates:
  - package-ecosystem: npm
    directory: '/'
    schedule:
      interval: daily
      time: '02:00'
    open-pull-requests-limit: 10
Enter fullscreen mode Exit fullscreen mode

What is configured in this first code is that it will run daily at 2:00 am.

Here a BONUS setting if you want to change the branch it will open the PR and the label if you want to change. You can manually add them at the end of the code above.

    # BONUS
    # Raise pull requests for version updates
    # to pip against the `develop` branch
      target-branch: "dev"
    # Labels on pull requests for version updates only
          labels:
          - "dependecies"
Enter fullscreen mode Exit fullscreen mode

It will be in the root of your repository like this:

Repository tree

Okay, your repository is already configured with Dependabot. So daily you will check if the dependencies of this project are outdated.

There's only one problem: if you don't merge it, it will continue to be just a PR.

How to automate dependabot merge

With Github Actions we were able to automate the process of merging PRs created by Dependabot.

Go to Actions inside your Github repository and then New Workflow.
There are several Actions already ready. You can choose any template and then delete all the content and paste this code:

name: 'Dependabot Automerge - Action'

on:
  pull_request:

permissions:
  pull-requests: write
  issues: write

jobs:
  worker:
    runs-on: ubuntu-latest

    if: github.actor == 'dependabot[bot]'
    steps:
      - name: 'Wait for status checks'
        id: waitforstatuschecks
        uses: WyriHaximus/github-action-wait-for-status@v1.2.0
        with:
          ignoreActions: worker,WIP
          checkInterval: 60
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: 'Automerge'
        uses: pascalgn/automerge-action@v0.11.0
        if: steps.waitforstatuschecks.outputs.status == 'success'
        env:
          MERGE_LABELS: ''
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          MERGE_DELETE_BRANCH: true
Enter fullscreen mode Exit fullscreen mode

With it, every time a pull request is opened by Dependabot it will be checked if there was no conflict with the dependency update and it will merge if everything is ok.

So your repository will look like this:

Repository tree with all config

Now your project updates its dependencies automatically!

References:

💖 💪 🙅 🚩
jokenpo
Eduardo Florêncio

Posted on August 30, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related