This repository runs a daily GitHub action that automatically approves and merges certain Dependabot PRs for opted-in GOV.UK repos, according to strict criteria set out in RFC-156, summarised below:
This service should ONLY be used to merge internal dependencies (excluding 'major' version updates). It should also only be enabled on repos which have sufficient test coverage (such as continuously deployed apps, as these have to reach 95% coverage). Deviate from the guidance at your own risk.
Note that govuk-dependabot-merger will avoid merging a PR if it has a failing GitHub Action CI build called test-ruby
, as per convention. It will also avoid running altogether on weekends and bank holidays.
To opt into the govuk-dependabot-merger service, first create a .govuk_dependabot_merger.yml
config file at the root of your repository. Configure the file with an array of dependencies and associated semver bumps that you would like the service to merge for you.
For example:
api_version: 1
auto_merge:
- dependency: govuk_publishing_components
allowed_semver_bumps:
- patch
- minor
- dependency: rubocop-govuk
allowed_semver_bumps:
- patch
- minor
After you've merged your config file into your main branch, you just need to add your repository to the config/repos_opted_in.yml list in govuk-dependabot-merger.
To run the linter:
bundle exec rubocop
To run the tests:
bundle exec rspec
The repo expects an AUTO_MERGE_TOKEN
environment variable to be defined. This should be a GitHub API token with sufficient scope.
You can then run the merger with:
bundle exec ruby bin/merge_dependabot_prs.rb
The repo also ships with a "doctor" script to help you to debug individual PRs and why they did or did not auto-merge.
bundle exec ruby bin/pr_doctor.rb https://github.com/alphagov/content-data-api/pull/1996