• Stars
    star
    100
  • Rank 340,703 (Top 7 %)
  • Language
    TypeScript
  • License
    MIT License
  • Created over 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Extract information about the dependencies being updated by a Dependabot-generated PR.

Dependabot

Fetch Metadata Action

Name: dependabot/fetch-metadata

Extract information about the dependencies being updated by a Dependabot-generated PR.

Usage instructions

Create a workflow file that contains a step that uses: dependabot/fetch-metadata@v1, e.g.

-- .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request_target
jobs:
  build:
    permissions:
      pull-requests: read
    runs-on: ubuntu-latest
    steps:
    - name: Fetch Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v1
      with:
        alert-lookup: true
        compat-lookup: true
        github-token: "${{ secrets.PAT_TOKEN }}"

Supported inputs are:

  • github-token (string)
    • The GITHUB_TOKEN secret
    • Defaults to ${{ github.token }}
    • Note: this must be set to a personal access token (PAT) if you enable alert-lookup or compat-token.
  • alert-lookup (boolean)
    • If true, then populate the alert-state, ghsa-id and cvss outputs.
    • Defaults to false
  • compat-lookup (boolean)
    • If true, then populate the compatibility-score output.
    • Defaults to false
  • skip-commit-verification (boolean)
    • If true, then the action will not expect the commits to have a verification signature. It is required to set this to 'true' in GitHub Enterprise Server
    • Defaults to false
  • skip-verification (boolean)
    • If true, the action will not validate the user or the commit verification status
    • Defaults to false

Subsequent actions will have access to the following outputs:

  • steps.dependabot-metadata.outputs.dependency-names
    • A comma-separated list of the package names updated by the PR.
  • steps.dependabot-metadata.outputs.dependency-type
    • The type of dependency has determined this PR to be. Possible values are: direct:production, direct:development and indirect. See the allow documentation for descriptions of each.
  • steps.dependabot-metadata.outputs.update-type
    • The highest semver change being made by this PR, e.g. version-update:semver-major. For all possible values, see the ignore documentation.
  • steps.dependabot-metadata.outputs.updated-dependencies-json
    • A JSON string containing the full information about each updated Dependency.
  • steps.dependabot-metadata.outputs.directory
    • The directory configuration that was used by dependabot for this updated Dependency.
  • steps.dependabot-metadata.outputs.package-ecosystem
    • The package-ecosystem configuration that was used by dependabot for this updated Dependency.
  • steps.dependabot-metadata.outputs.target-branch
    • The target-branch configuration that was used by dependabot for this updated Dependency.
  • steps.dependabot-metadata.outputs.previous-version
    • The version that this PR updates the dependency from.
  • steps.dependabot-metadata.outputs.new-version
    • The version that this PR updates the dependency to.
  • steps.dependabot-metadata.outputs.alert-state
    • If this PR is associated with a security alert and alert-lookup is true, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
  • steps.dependabot-metadata.outputs.ghsa-id
    • If this PR is associated with a security alert and alert-lookup is true, this contains the GHSA-ID of that alert.
  • steps.dependabot-metadata.outputs.cvss
    • If this PR is associated with a security alert and alert-lookup is true, this contains the CVSS value of that alert (otherwise it contains 0).
  • steps.dependabot-metadata.outputs.compatibility-score
    • If this PR has a known compatibility score and compat-lookup is true, this contains the compatibility score (otherwise it contains 0).
  • steps.dependabot-metadata.outputs.maintainer-changes
    • Whether or not the the body of this PR contains the phrase "Maintainer changes" which is an indicator of whether or not any maintainers have changed.
  • steps.dependabot-metadata.outputs.dependency-group
    • The dependency group that the PR is associated with (otherwise it is an empty string).

Note: By default, these outputs will only be populated if the target Pull Request was opened by Dependabot and contains only Dependabot-created commits. To override, see skip-commit-verification / skip-verification.

This metadata can be used along with Action's expression syntax and the GitHub CLI to create useful automation for your Dependabot PRs.

Auto-approving

Since the dependabot/fetch-metadata Action will set a failure code if it cannot find any metadata, you can have a permissive auto-approval on all Dependabot PRs like so:

name: Dependabot auto-approve
on: pull_request_target
permissions:
  pull-requests: write
jobs:
  dependabot:
    runs-on: ubuntu-latest
    # Checking the author will prevent your Action run failing on non-Dependabot PRs
    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v1
      - uses: actions/checkout@v3
      - name: Approve a PR if not already approved
        run: |
          gh pr checkout "$PR_URL" # sets the upstream metadata for `gh pr status`
          if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
          then gh pr review --approve "$PR_URL"
          else echo "PR already approved, skipping additional approvals to minimize emails/notification noise.";
          fi
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Enabling auto-merge

If you are using the auto-merge feature on your repository, you can set up an action that will enable Dependabot PRs to merge once CI and other branch protection rules are met. (Note that you must use a personal access token (PAT) when executing the merge instruction.)

For example, if you want to automatically merge all patch updates to Rails:

name: Dependabot auto-merge
on: pull_request_target
permissions:
  pull-requests: write
  contents: write
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v1
      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.dependabot-metadata.outputs.dependency-names, 'rails') && steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Labelling

If you have other automation or triage workflows based on GitHub labels, you can configure an action to assign these based on the metadata.

For example, if you want to flag all production dependency updates with a label:

name: Dependabot auto-label
on: pull_request_target
permissions:
  pull-requests: write
  issues: write
  repository-projects: write
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v1
      - name: Add a label for all production dependencies
        if: ${{ steps.dependabot-metadata.outputs.dependency-type == 'direct:production' }}
        run: gh pr edit "$PR_URL" --add-label "production"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Notes for project maintainers:

📖 Release guide

Dependabot PR's

  • We expect Dependabot PRs to be passing CI and have any changes to the dist/ folder built for production dependencies
  • Some development dependencies may fail the dist/ check if they modify the Typescript compilation, these should be updated manually via npm run build. See the dependabot-build action for details.

Tagging a new release

Publish a new release by running the Release - Bump Version workflow and following the instructions on the job summary.

In a nutshell the process will be:

  1. Run the action to generate a version bump PR.
  2. Merge the PR.
  3. Tag that merge commit as a new release using the format v1.2.3. The job summary contains a URL pre-populated with the correct version for the title and tag.
  4. Once the release is tagged, another GitHub Action workflow automatically moves the v1 tracking tag to point to the new version.

More Repositories

1

dependabot-core

🤖 Dependabot's core logic for creating update PR's.
Ruby
4,462
star
2

dependabot-script

A simple script that demonstrates how to use Dependabot Core
Ruby
478
star
3

elixir-security-advisories

Old database of Elixir security advisories before the GitHub Security Advisory DB supported Hex / Elixir.
Ruby
145
star
4

feedback

The old feedback repository for Dependabot. Click below for the new repository.
85
star
5

cli

A tool for testing and debugging Dependabot update jobs.
Go
81
star
6

demo

🤖 Fork me to try out Dependabot
Ruby
40
star
7

api-docs

[Deprecated] Documentation for Dependabot Preview's API
33
star
8

dependabot-actions-workflow

Old example workflow for updating Dependabot pull requests. No longer relevant, see Readme for details.
Ruby
23
star
9

gem-vulnerability-analysis

Jupyter notebook for a blog post on gem vulnerabilities and version updates.
Jupyter Notebook
15
star
10

gomodules-extracted

This code was originally used in dependabot-core, but has since been removed. See Readme for details.
Go
10
star
11

smoke-tests

A collection of manifest files for various package managers and is used to perform end-to-end tests for Dependabot.
HCL
10
star
12

git-shim

git https shim
Go
8
star
13

yarn-lib

A build of yarn that provides access to its internals
Shell
7
star
14

dummy-packages

Dummy packages for testing Dependabot
Ruby
6
star
15

php-dummy-pkg-a

A dummy PHP package for testing Dependabot.
4
star
16

acf-php-example

Skeleton example for vendoring advanced-custom-fields plugin
4
star
17

prometheus-aggregator-ruby

A Ruby client for https://github.com/peterbourgon/prometheus-aggregator
Ruby
4
star
18

preview-demo

This repo contains some outdated and vulnerable dependencies. Fork it to try out Dependabot Preview!
4
star
19

vgotest

A dummy Go Module for testing Dependabot.
3
star
20

.github

3
star
21

php-dummy-pkg-b

A dummy PHP package for testing Dependabot.
2
star