Use dependabot #25
Use dependabot #25
Conversation
| # Automerge: | ||
| # needs: [Test, Lint] | ||
| # runs-on: ubuntu-latest | ||
| # if: | | ||
| # github.actor == 'dependabot[bot]' && | ||
| # github.event_name == 'pull_request' && | ||
| # startsWith(github.event.pull_request.title, 'chore(deps-dev):') | ||
| # steps: | ||
| # - name: '@dependabot merge' | ||
| # uses: actions/github-script@v2 | ||
| # with: | ||
| # github-token: ${{secrets.GH_TOKEN}} | ||
| # script: | | ||
| # await github.issues.createComment({ | ||
| # owner: context.payload.repository.owner.login, | ||
| # repo: context.payload.repository.name, | ||
| # issue_number: context.payload.pull_request.number, | ||
| # body: '@dependabot merge' | ||
| # }) |
There was a problem hiding this comment.
Auto Merge would require a token with public_repo permission in secrets.GH_TOKEN
the default secrets.GITHUB_TOKEN won't work since it doesn't have push permission.
|
@UziTech Thank you for this. But dependant bot does not support updating all the dependencies in a single pull request and spams my email and notifications for every single package. I created my custom dependency bumper because of that. See this issue: dependabot/dependabot-core#1296 (comment) |
|
The problem with the github actions script is that it does not run the other github actions when it creates the PR. |
|
To circumvent that we can add steps after bumping. If you like to run the tests after bumping (before creating the pull request), we can just add a step to run the tests. If it fails, it will not create a pull request, and that means the new dependency is not compatible with the package. Using our custom script is much more flexible. You can use all of the to reject updating coffeescript to v2 as it is not supported by Atom. |
|
But then it is an all or none. If one update fails the tests the the PR doesn't get created for any of the updates. Just seems like more work when there are easier ways to circumvent notifications. |
|
Yes. Failing the bump means I need to take care of at least one of the dependencies which has broken the tests. I find this better compared to getting spammed by the bot. Other than the reasons I mentioned earlier, I switched to With all of these being said, dependant bot is installed on the organization and anyone can use it if they likethat instead. |
|
@UziTech Sorry about this. I hope they improve things. I am tracking the issue in dependabot/dependabot-core#1296 (comment) |
Use dependabot so tests run on dependency bumps