Home

Awesome

<h1 align="center"> <picture> <source media="(prefers-color-scheme: light)" srcset="https://user-images.githubusercontent.com/7659/174594540-5e29e523-396a-465b-9a6e-6cab5b15a568.svg"> <source media="(prefers-color-scheme: dark)" srcset="https://user-images.githubusercontent.com/7659/174594559-0b3ddaa7-e75b-4f10-9dee-b51431a9fd4c.svg"> <img src="https://user-images.githubusercontent.com/7659/174594540-5e29e523-396a-465b-9a6e-6cab5b15a568.svg" alt="Dependabot" width="336"> </picture> </h1>

Fetch Metadata Action

Name: dependabot/fetch-metadata

Extract information about the dependencies being updated by a Dependabot-generated PR.

Usage instructions

Create a workflow file that contains a step that uses: dependabot/fetch-metadata@v2, e.g.

# .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request
jobs:
  dependabot:
    permissions:
      pull-requests: read
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
    - name: Fetch Dependabot metadata
      id: dependabot-metadata
      uses: dependabot/fetch-metadata@v2
      with:
        alert-lookup: true
        compat-lookup: true
        github-token: "${{ secrets.PAT_TOKEN }}"

Supported inputs are:

Subsequent actions will have access to the following outputs:

Note: By default, these outputs will only be populated if the target Pull Request was opened by Dependabot and contains only Dependabot-created commits. To override, see skip-commit-verification / skip-verification.

For workflows initiated by Dependabot (github.actor == 'dependabot[bot]') using the pull_request_target event, if the base ref of the pull request was created by Dependabot (github.event.pull_request.user.login == 'dependabot[bot]'), the GITHUB_TOKEN will be read-only and secrets are not available.

This metadata can be used along with Action's expression syntax and the GitHub CLI to create useful automation for your Dependabot PRs.

Auto-approving

Since the dependabot/fetch-metadata Action will set a failure code if it cannot find any metadata, you can have a permissive auto-approval on all Dependabot PRs like so:

name: Dependabot auto-approve
on: pull_request
permissions:
  pull-requests: write
jobs:
  dependabot:
    runs-on: ubuntu-latest
    # Checking the author will prevent your Action run failing on non-Dependabot PRs
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v2
      - uses: actions/checkout@v4
      - name: Approve a PR if not already approved
        run: |
          gh pr checkout "$PR_URL" # sets the upstream metadata for `gh pr status`
          if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
          then gh pr review --approve "$PR_URL"
          else echo "PR already approved, skipping additional approvals to minimize emails/notification noise.";
          fi
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Enabling auto-merge

If you are using the auto-merge feature on your repository, you can set up an action that will enable Dependabot PRs to merge once CI and other branch protection rules are met. (Note that you must use a personal access token (PAT) when executing the merge instruction.)

For example, if you want to automatically merge all patch updates to Rails:

name: Dependabot auto-merge
on: pull_request
permissions:
  pull-requests: write
  contents: write
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v2
      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.dependabot-metadata.outputs.dependency-names, 'rails') && steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Labelling

If you have other automation or triage workflows based on GitHub labels, you can configure an action to assign these based on the metadata.

For example, if you want to flag all production dependency updates with a label:

name: Dependabot auto-label
on: pull_request
permissions:
  pull-requests: write
  issues: write
  repository-projects: write
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v2
      - name: Add a label for all production dependencies
        if: ${{ steps.dependabot-metadata.outputs.dependency-type == 'direct:production' }}
        run: gh pr edit "$PR_URL" --add-label "production"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Notes for project maintainers:

<details><summary>:book: Release guide</summary> <p>

Dependabot PR's

Tagging a new release

Publish a new release by running the Release - Bump Version workflow and following the instructions on the job summary.

In a nutshell the process will be:

  1. Run the action to generate a version bump PR.
  2. Merge the PR.
  3. Tag that merge commit as a new release using the format v1.2.3. The job summary contains a URL pre-populated with the correct version for the title and tag.
  4. Once the release is tagged, another GitHub Action workflow automatically moves the v2 tracking tag to point to the new version.
</p> </details>