Over the years, I have accumulated quite a few free time projects that one after another become stale. Security alerts keep rolling in and getting all projects up-to-date is exhausting and might feel overwhelming. Let's automate this task!
depfu
For some time, I have updated the projects manually, however this became way too time consuming. Enter depfu, a free (for open source projects) service that keeps your project's dependencies up-to-date by proposing pull requests (PRs) whenever there's a new dependency version. Renovate is a similar service, and would work the same for the purpose of this tutorial. Depfu has made my life much easier – it automatically creates PRs and the only job left for me is to approve and merge the PR. This is all well and good, however with many projects, even this process becomes tedious. Let's try to automate this task even further!
Mergify
Mergify can merge PRs automatically and lets us define rules for when that should happen. Together, depfu and Mergify can automatically keep our dependencies updated.
Actual tutorial
Step 1: Create depfu and Mergify accounts
Before we can start configuring these tools, we'll need to create one account in each service, and give the services the required permissions. Once this is done, depfu will start creating dependency update PRs in the projects that were added in the depfu GUI.
Step 2: Configure Mergify
We can configure Mergify in a .mergify.yml file placed in the root of our project. Mergify has a great deal of example configurations which is very helpful when new to the tool. This configuration is very powerful, however our task is quite simple and doesn't need much writing:
pull_request_rules:
- name: Automatic merge for depfu pull requests
conditions:
- author=depfu[bot]
- base=main # or master
actions:
merge:
method: merge
That's actually all that we need! We ensure that it was actually depfu that created the PR, then check that the PR will be merged to the main branch. Now, every pull request created by depfu will be merged automatically.
Is automating this a good idea?
We should ask ourselves if we actually want dependency updates to be merged automatically. They should be subject to review and should perhaps not be merged into the codebase uncritically. This can be mitigated by adding automated tests and to run build scripts on every commit. If required checks fail, Mergify won't merge the PR. Also, Mergify has another trick up it's sleeve: We can do a RegEx search on the PR's title. This combines neatly with the fact that depfu adds a (major), (minor) or (patch) label to the end of the PR title. We can filter out major and minor updates, and our final Mergify config now looks like this:
pull_request_rules:
- name: Automatic merge for depfu pull requests
conditions:
- author=depfu[bot]
- base=main # or master
- title~=\(patch\)$
actions:
merge:
method: merge
PRs in my repository must be reviewed before merge
Oh, do they now? As said before, Mergify will wait until no required checks fail, and that includes required reviews. No problem (thanks, Julien Danjou)! We can automate PR reviewal as well! Let's add to .mergify.yml:
pull_request_rules:
- name: Automatic approval for depfu pull requests
conditions:
- author=depfu[bot]
actions:
review:
type: APPROVE
- name: Automatic merge for depfu pull requests
conditions:
- author=depfu[bot]
- base=main # or master
- title~=\(patch\)$
actions:
merge:
method: merge
Done!
Now, with these new apps and actions, dependency update pull requests will be created, reviewed and merged 🌼automatically🌼! The GitHub Marketplace is filled with gems like these and I encourage you all to explore the list to make life easier and more automated!
Top comments (2)
Excellent! You could actually also leverage Mergify to review your PR, that'd be even simpler: docs.mergify.io/actions/review/
Thanks! I'll definitely try this out!