Managing Dependabot PRs with dependabot-pr-manager

Managing multiple Dependabot PRs can be a boring task, especially when you have numerous repositories to maintain. The dependabot-pr-manager library simplifies this process by grouping Dependabot PRs into a single PR and closing Dependabot PR. In this article, we'll explore how to use dependabot-pr-manager in your CI pipeline.

By the way, it is opensource. 🚀

BEFORE YOU KEEP REEDING: dependabot-pr-manager only supports Node projects

What does it do?

Currently, dependabot-pr-manager has two main scripts:

• Group Dependabot PRs: The merge-dependabot-prs script groups all Dependabot PRs into a single PR, allowing you to review and update the changes before merging.
• Close Dependabot PRs: The close-dependabot-prs script closes all open Dependabot PRs.

How to use it?

Installing

To install dependabot-pr-manager as a devDependency, run the following command (if npm project):

npm i utility-dependabot-pr-manager --save-dev

On CI

Below is an example of how to set up a GitHub Action (you can adapt to other CI services) to run the dependabot-pr-manager script on the first day of every month (at 09:00 UTC) and allow manual triggering via a GitHub button. Additionally, it includes a job to close the Dependabot PRs when the created PR is commented with "[dependabot-pr-manager] close prs".

• Create a file named .github/workflows/dependabot-pr-manager.yml in your repository:

name: Merge and Close Dependabot PRs

on:
  schedule:
    - cron: '0 9 * * 1' # Runs at 09:00 (UTC) on the first day of every month
  workflow_dispatch: # Allows manual triggering via GitHub button
  issue_comment:
    types: [created]

jobs:
  merge-dependabot-prs:
    if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Set up Node.js
        uses: actions/setup-node@v2
        with:
          node-version: '18'

      - name: Install Yarn
        run: npm install -g yarn

      - name: Install dependencies
        run: yarn install

      - name: Set up Git
        run: |
          git config --global user.name "dependabot[bot]" # change to the user that will merge the PRs
          git config --global user.email "49699333+dependabot[bot]@users.noreply.github.com" # change to the user that will merge the PRs

      - name: Run merge-dependabot-prs
        run: |
          npx merge-dependabot-prs \
            --repoUrl=https://github.com/open-ish/utility.git \
            --combinedBranch=ci/combined-dependabot-updates \
            --mainBranch=main \
            --githubToken=${{ secrets.YOUR_GIT_HUB_TOKEN }} \
            --repoOwner=open-ish \
            --repoName=utility

  close-dependabot-prs:
    if: github.event.issue.pull_request && contains(github.event.comment.body, '[dependabot-pr-manager] close prs')
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Set up Node.js
        uses: actions/setup-node@v2
        with:
          node-version: '18'

      - name: Install Yarn
        run: npm install -g yarn

      - name: Install dependencies
        run: yarn install

      - name: Run close-dependabot-prs
        run: |
          npx close-dependabot-prs \
            --githubToken=${{ secrets.YOUR_GIT_HUB_TOKEN }} \
            --repoOwner=open-ish \
            --repoName=utility

• merge-dependabot-prs Job: This job runs the merge-dependabot-prs script to group Dependabot PRs into one.
• close-dependabot-prs Job: This job runs the close-dependabot-prs script to close the Dependabot PRs when the pull request created from dependabot-pr-manager be commented with '[dependabot-pr-manager] close prs'.

Package params

• --repoUrl(required): The repository URL;
• --combinedBranch(required): The branch that will be created with the combined PRs;
• --mainBranch(required): The main branch of the repository;
• --githubToken(required): The GitHub token;
• --repoOwner(required): The repository owner;
• --repoName(required): The repository name;
• installDepsCommand: The command to install the dependencies. Default: yarn install
• filesToCommit: Files to be committed on the pull request. Default: package.json yarn.lock

Examples

See this PR example

• Grouping Dependabot PRs

• Closing Dependabot PRs after comment [dependabot-pr-manager] close prs

Conclusion

The dependabot-pr-manager library is a nice tool for managing Dependabot PRs in your repositories. By automating the process of grouping and closing PRs, you can save time and ensure that your dependencies are always up to date. Try integrating dependabot-pr-manager into your CI pipeline today and experience the benefits of streamlined dependency management.

Comments

[Boopathi]

This looks like a great way to streamline Dependabot PR management! Having a single PR for all updates and a way to close them easily sounds super efficient. I'm curious to see how it handles conflicts between different dependency updates.

[Tássio]

Hey @programmerraja, thanks for your feedback 😊

It runs install script (you define which) just once after collect all required dependencies. So it shouldn't conflict.