No auto-rebase after `@dependabot merge` command
Closed this issue · 21 comments
Related to: dependabot/feedback#365
Package manager/ecosystem
javascript, npm
Manifest contents prior to update
https://github.com/Maxim-Mazurok/google-api-typings-generator/blob/master/.github/dependabot.yml
What you expected to see, versus what you actually saw
Every week, dependabot open a couple of PRs.
I have auto-merge action, which adds "@dependabot merge" comment to all minor update PRs automatically. The problem is that only the first one gets merged. Other ones need to be rebased, but they never do it automatically. I have to manually comment "@dependabot rebase" on every PR, which defeats the purpose.
I want dependabot to automatically rebase my PRs even if I have commented "@dependabot merge".
I believe that this was implemented as part of dependabot/feedback#365 and now it doesn't work, so this may be a regression.
Images of the diff or a link to the PR, issue or logs
All 4 got opened yesterday:
This one got merged: Maxim-Mazurok/google-api-typings-generator#443
These 3 are stuck unless I manually comment "@dependabot rebase"
Maxim-Mazurok/google-api-typings-generator#441
Maxim-Mazurok/google-api-typings-generator#442
Maxim-Mazurok/google-api-typings-generator#444
@greysteil do you know anything about this, by chance?
Afraid not - I haven't worked on Dependabot for the last couple of years! It's in the safe hands of @hmarr and @asciimike now, and this looks like a very clear bug report for them and the team to dig into.
Hi @Maxim-Mazurok, this has been open for a while, apologies for that.
The PRs you linked to have since been rebased and merged, so it's a little hard to dive into what happened.
I want dependabot to automatically rebase my PRs even if I have commented "@dependabot merge".
It's good to know that dependabot will only rebase if there are any merge conflicts, but not when the ref is out of date. Do you happen to know if this was the case? Has this happened since?
@jurre thank you for picking up this one.
Unfortunately, this was very frustrating for me, so instead of relying on @dependabot merge command, I started using Kodiak merge.automerge_dependencies. Here's the commit in which I switched: Maxim-Mazurok/google-api-typings-generator@40d393b
Now it works as expected.
As you can see, dependabot opened two PRs last Saturday: Maxim-Mazurok/google-api-typings-generator#478 and Maxim-Mazurok/google-api-typings-generator#479
First, I have approved Maxim-Mazurok/google-api-typings-generator#478 (review)
Then I approved Maxim-Mazurok/google-api-typings-generator#479 (review)
Kodiak merged the first one: Maxim-Mazurok/google-api-typings-generator#478 (comment)
Then, Kodiak rebased the second one: Maxim-Mazurok/google-api-typings-generator@429318c (#479)
And Kodiak merged it: Maxim-Mazurok/google-api-typings-generator#478 (comment)
This is precisely what I wanted Dependabot, paired with ahmadnassri/action-dependabot-auto-merge) to do.
That being said, I'll try to create reproduction in the new repo.
It's good to know that dependabot will only rebase if there are any merge conflicts, but not when the ref is out of date. Do you happen to know if this was the case?
I'm not sure if there were. My usual use-case is merging dependabot PRs one after another. So I think that only package.json and package-lock.json were changed. I believe this can be checked using git history.
I forgot to mention my repo settings:
Protect matching branches
[x] Require pull request reviews before merging:
Required approving reviews: 1
[x] Dismiss stale pull request approvals when new commits are pushed
[x] Require status checks to pass before merging
[x] Require branches to be up to date before merging
Status checks found in the last week for this repository:
[x] test
These Branch protection rules apply to master and are checked. Everything else is disabled.
I tried to reproduce it here: https://github.com/Maxim-Mazurok/dependabot-3132-repro but I couldn't.
Because of the ahmadnassri/action-dependabot-auto-merge#60 issue, I had to change from on: pull_request to on: pull_request_target.
Everything works as expected:
- 3 PRs opened: Maxim-Mazurok/dependabot-3132-repro#8 and Maxim-Mazurok/dependabot-3132-repro#9 and Maxim-Mazurok/dependabot-3132-repro#10
- Maxim-Mazurok/dependabot-3132-repro#8 got merged
- Maxim-Mazurok/dependabot-3132-repro#9 and Maxim-Mazurok/dependabot-3132-repro#10 rebased
- Maxim-Mazurok/dependabot-3132-repro#9 got merged
- Maxim-Mazurok/dependabot-3132-repro#10 rebased
- Maxim-Mazurok/dependabot-3132-repro#10 got merged
And all of that even without the need to manually approve PRs, perfect! (even though not very secure)
I'm going to try this approach on my main repo and will let you know how it goes after the weekend. I do updates on it every Saturday.
I'm expecting this to have been resolved, I'm going to close the issue out for now, but please reopen if you run into things @Maxim-Mazurok!
It's only Friday here in Sydney, so I haven't confirmed if it works. Will reopen in case if it doesn't.
Unfortunately, this week I received only one dependency update (Maxim-Mazurok/google-api-typings-generator#481) so couldn't verify rebasing functionality. Will have to wait for the next Saturday.
@jurre, finally, this week I received 4 PRs:
As you can see, two of them are "stuck" with @dependabot merge comment :(
BTW, reopen this issue, please, because I can't.
@jurre any ETA on when I could manually merge stuck PRs? Don't want to do that before your investigation.
@jurre following up, as the issue has been reopened 19 days ago and now I have 4 PRs stuck. Take a look, please, before I manually merge these PRs. Thanks!
@jurre bumping this, since 3 PRs are still stuck, see https://github.com/Maxim-Mazurok/google-api-typings-generator/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc+author%3Aapp%2Fdependabot
unsure if related, but on a private repo we see that dependabot doesn't work the whole day - we merge a pr and than it takes hours before dependabot rebase the others.
unsure if related, but on a private repo we see that dependabot doesn't work the whole day - we merge a pr and than it takes hours before dependabot rebase the others.
I wish it was the case with my repo. PRs never get rebased for me :(
@jurre can you please confirm that this issue is not abandoned? I really want to help you by not rebasing PRs manually, but if this issue is abandoned - I'll have to look for alternative solutions. Cheers!
@jurre, unfortunately, I haven't heard back from you in a while, but I see from your GitHub profile that you're active. So I'm assuming that this issue is abandoned and I will be reverting back to using https://github.com/chdsbd/kodiak to auto-merge dependabot PRs
@dependabot help
We're also getting the same issue in some of our private Discovery repos!
In one of these projects, I ended up using a solution described at the bottom of this community post: How can I stop babysitting Dependabot?
It would be great if someone from Github could assist debugging the problem. It is sad to see that @Maxim-Mazurok's efforts to reproduce the problem have been done in vain.
https://github.com/marketplace/actions/gha-auto-dependabot-rebase seems like a pretty nice hack, thanks for sharing!
I've been using Kodiak for a while now and it worked flawlessly for me. Almost every Saturday I get a couple of dependencies auto-updated, rebased, and merged.
My configs: https://github.com/Maxim-Mazurok/google-api-typings-generator/blob/master/.github/dependabot.yml and https://github.com/Maxim-Mazurok/google-api-typings-generator/blob/master/.kodiak.toml
The only weird issue is that dependabot refuse to add "automerge-kodiak" label to PRs... And for whatever reason that doesn't stop Kodiak from auto-merging them anyway :D So somehow it works...
Actually, in this PR I somehow had some conflicts that kodiak wasn't able to resolve using rebase. But dependabot isn't just doing git rebase, as far as I understand, it's doing npm update from master discarding original PR changes.
So I will be adding gha-auto-dependabot-rebase into the mix to handle rebasing.
Closing out as stale