auto merge dependabot updates#177
Conversation
|
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
github-actions
Bot
added
the
triage
|
Hi @tjenkinson 👋🏼 Thanks for opening the PR. I think you may be the first external contributor to open a pull request on this newly-public repository! 🎁 I love the idea of this change, and agree that we should automate things like @dependabot PRs. But we also need to be careful about adding third-party Actions to our codebase without first conducting a security audit. I'll need to discuss this with the @github/docs-engineering team to figure out how we'd like to proceed. We'll get back to you soon. |
|
Awesome! Thanks for the speedy reply :) No rush. It works well for me but no worries if you go with something else. |
|
I discussed this with the team and I think we'll be able accept this change, but first: #180 |
zeke
left a comment
zeke
left a comment
There was a problem hiding this comment.
Update: I audited the code at https://github.com/tjenkinson/gh-action-auto-merge-dependency-updates/blob/0882a8edde9070b608c8f19837f2a545bf6f2c28/src/run.ts#L61-L64 and it looks reasonable to me. 👍🏼
@tjenkinson if you can now add your Action to .github/allowed-actions.js, this should turn green again:
tjenkinson/gh-action-auto-merge-dependency-updates@0882a8e
Once that's done, we can ship it!
zeke
added
engineering
|
Done! I’m not sure if it will work properly right now though actually because it looks like a reviewer is required so it still might not have permission to merge automatically? |
|
Looks like on #286 for example the bot also approves the pr, but not sure where that’s happening from. Can add an option for that to the action if needed |
|
I updated it to a newer version that will now also first approve the PR |
|
@all-contributors please add @tjenkinson for code |
|
I've put up a pull request to add @tjenkinson! 🎉 |
4 participants
Why:
There isn't an existing issue, but I thought this was small enough it probably doesn't need one.
This action (disclaimer: I wrote it) will automerge dependabot PRs that do not contain a major version change when required checks pass. Thought it might be useful.
What's being changed:
Adds an action to automerge dependebot PR's.
Check off the following: