Managing multiple Dependabot PRs can be a boring task, especially when you have numerous repositories to maintain. The dependabot-pr-manager
library simplifies this process by grouping Dependabot PRs into a single PR and closing Dependabot PR. In this article, we'll explore how to use dependabot-pr-manager
in your CI pipeline.
By the way, it is opensource. 🚀
BEFORE YOU KEEP REEDING: dependabot-pr-manager
only supports Node projects
What does it do?
Currently, dependabot-pr-manager
has two main scripts:
-
Group Dependabot PRs: The
merge-dependabot-prs
script groups all Dependabot PRs into a single PR, allowing you to review and update the changes before merging. -
Close Dependabot PRs: The
close-dependabot-prs
script closes all open Dependabot PRs.
How to use it?
Installing
To install dependabot-pr-manager
as a devDependency
, run the following command (if npm project):
npm i utility-dependabot-pr-manager --save-dev
On CI
Below is an example of how to set up a GitHub Action (you can adapt to other CI services) to run the dependabot-pr-manager script on the first day of every month (at 09:00 UTC) and allow manual triggering via a GitHub button. Additionally, it includes a job to close the Dependabot PRs when the created PR is commented with "[dependabot-pr-manager] close prs".
- Create a file named .github/workflows/dependabot-pr-manager.yml in your repository:
name: Merge and Close Dependabot PRs
on:
schedule:
- cron: '0 9 * * 1' # Runs at 09:00 (UTC) on the first day of every month
workflow_dispatch: # Allows manual triggering via GitHub button
issue_comment:
types: [created]
jobs:
merge-dependabot-prs:
if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set up Node.js
uses: actions/setup-node@v2
with:
node-version: '18'
- name: Install Yarn
run: npm install -g yarn
- name: Install dependencies
run: yarn install
- name: Set up Git
run: |
git config --global user.name "dependabot[bot]" # change to the user that will merge the PRs
git config --global user.email "49699333+dependabot[bot]@users.noreply.github.com" # change to the user that will merge the PRs
- name: Run merge-dependabot-prs
run: |
npx merge-dependabot-prs \
--repoUrl=https://github.com/open-ish/utility.git \
--combinedBranch=ci/combined-dependabot-updates \
--mainBranch=main \
--githubToken=${{ secrets.YOUR_GIT_HUB_TOKEN }} \
--repoOwner=open-ish \
--repoName=utility
close-dependabot-prs:
if: github.event.issue.pull_request && contains(github.event.comment.body, '[dependabot-pr-manager] close prs')
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set up Node.js
uses: actions/setup-node@v2
with:
node-version: '18'
- name: Install Yarn
run: npm install -g yarn
- name: Install dependencies
run: yarn install
- name: Run close-dependabot-prs
run: |
npx close-dependabot-prs \
--githubToken=${{ secrets.YOUR_GIT_HUB_TOKEN }} \
--repoOwner=open-ish \
--repoName=utility
- merge-dependabot-prs Job: This job runs the
merge-dependabot-prs
script to group Dependabot PRs into one. - close-dependabot-prs Job: This job runs the
close-dependabot-prs
script to close the Dependabot PRs when the pull request created from dependabot-pr-manager be commented with'[dependabot-pr-manager] close prs'
.
Package params
-
--repoUrl
(required): The repository URL; -
--combinedBranch
(required): The branch that will be created with the combined PRs; -
--mainBranch
(required): The main branch of the repository; -
--githubToken
(required): The GitHub token; -
--repoOwner
(required): The repository owner; -
--repoName
(required): The repository name; -
installDepsCommand
: The command to install the dependencies. Default:yarn install
-
filesToCommit
: Files to be committed on the pull request. Default:package.json yarn.lock
Examples
- Grouping Dependabot PRs
- Closing Dependabot PRs after comment
[dependabot-pr-manager] close prs
Conclusion
The dependabot-pr-manager library is a nice tool for managing Dependabot PRs in your repositories. By automating the process of grouping and closing PRs, you can save time and ensure that your dependencies are always up to date. Try integrating dependabot-pr-manager into your CI pipeline today and experience the benefits of streamlined dependency management.
Top comments (2)
This looks like a great way to streamline Dependabot PR management! Having a single PR for all updates and a way to close them easily sounds super efficient. I'm curious to see how it handles conflicts between different dependency updates.
Hey @programmerraja, thanks for your feedback 😊
It runs install script (you define which) just once after collect all required dependencies. So it shouldn't conflict.