action-dependabot-auto-merge
action-dependabot-auto-merge copied to clipboard
Consider combining this action with `dependabot/fetch-metadata` to support multi-dependency updates
I've noticed that this action fails when Dependabot creates a single PR for multiple updates. It is possible though to combine this with a helper-action from Dependabot to fetch the update metadata in a standardized format, making a lot of parsing here unnecessary:
# ...
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v1
with:
github-token: ${{ secrets.PAT }} # This must be a personal access token to fetch if a PR closes a security issue
The result can then be passed to this action:
# ...
env:
updatedDependenciesJson: ${{ steps.dependabot-metadata.outputs.updated-dependencies-json }}
which can then be parsed using JSON.parse
and contains something like this:
[
{
dependencyName: 'prettier',
dependencyType: 'direct:development',
updateType: 'version-update:semver-patch',
directory: '/prettier-and-types',
packageEcosystem: 'npm_and_yarn',
targetBranch: 'master',
prevVersion: '',
newVersion: '',
compatScore: 0,
alertState: '',
ghsaId: '',
cvss: 0
},
{
dependencyName: '@types/prettier',
dependencyType: 'direct:development',
updateType: 'version-update:semver-patch',
directory: '/',
packageEcosystem: 'npm_and_yarn',
targetBranch: 'master',
prevVersion: '',
newVersion: '',
compatScore: 0,
alertState: '', // <-- THIS will be "OPEN" if there is an open security issue
ghsaId: '',
cvss: 0
}
]