DEV Community

Christian Bewernitz
Christian Bewernitz

Posted on

Tired of approving dependency PRs?

Dependency PRs?

I'm a huge fan of https://www.mend.io/renovate/ for updating dependencies PR by PR for multiple reasons.

So much that I even created a shared config at work with some nice docs.

Well, they have a automerge option, right?

Yes, and recently it is implemented by enabling "automerge" in GitHub!

But for most repositories it is reasonable to require somebody to review code changes before they land, which is why we have branch protection with some status checks and at least one reviewer approval.

And since we don't want the dependency PRs to get into the way, the default option we use is to only automatically create and update them outside of office hours.

And to reduce cost for GitHub actions that are run for each dependency update PR, we only ever create one at a time.

Repeated manual work...

So

  • the creation of dependency update PRs is automated
  • and the testing is automated
  • for landing them it still requires a human to approve. Outside of office hours. (So it's either unlikely to get more than a handful landed per day, or it encourages people to work outside of office hours.)

And this means they usually pile up, as it visible on the nice Dependency Dashboard renovate offers.

... should be automated

I had some attempts on researching different options to solve this problem, like adding some github app and configuring them or adding github actions that would take care of it, but it all sounded quite complicated, so I never really did something about it.

Recently I listened to https://changelog.com/jsparty/287 and learned about https://val.town
I registered during listening to the episode (using my GitHub account) and went through the short introduction tour.

I didn't immediately have an idea what to do with it, but I was sure it wouldn't take long.

Last week it hit me:
How difficult would it be to create a val that acts as a webhook for github that would automatically approve PRs that are qualified?

githubWebhookApproveDependencyPRs | @karfau | Val Town

A webhook to approve dependency PRs created by bots The webhook can be configured on the repo or on the org level it needs to receive the workflow_runs events it needs to have the webhookSecret configured (line 7) it needs to send json payload It will only approve if all of the following conditions are met: the event action is completed and the workflow_run.conclusion has to be success the event is related to exactly one pull request authored by one of the users listed in allowedAuthors (line 5) the githubApiToken configured in line 9 needs to have repo access to the related repository a branch protection has to be configured that requires a review and that requires at least one status check the current value for dryRun is false (line 3) If it approves the PR, it leaves a comment pointing to the website of this val.

favicon val.town

Turns out, it wasn't that difficult, even though I was new to the platform.

And I received some quick and helpful support on Discord when I was stuck. Thx for that.

And the best thing about it is, that you can fork it an use it on your own.

Top comments (0)