Tássio

Posted on Nov 8 • Edited on Nov 11

Managing Dependabot PRs with dependabot-pr-manager 🤖

#security #management #dependabot #automation

Managing multiple Dependabot PRs can be a boring task, especially when you have numerous repositories to maintain. The dependabot-pr-manager library simplifies this process by grouping Dependabot PRs into a single PR and closing Dependabot PR. In this article, we'll explore how to use dependabot-pr-manager in your CI pipeline.

By the way, it is opensource. 🚀

BEFORE YOU KEEP REEDING: dependabot-pr-manager only supports Node projects

What does it do?

Currently, dependabot-pr-manager has two main scripts:

Group Dependabot PRs: The merge-dependabot-prs script groups all Dependabot PRs into a single PR, allowing you to review and update the changes before merging.
Close Dependabot PRs: The close-dependabot-prs script closes all open Dependabot PRs.

How to use it?

Installing

Install dependabot-pr-manager as a devDependency. Example:

npm i @openish-u/dependabot-pr-manager --save-dev

On CI

Below is an example of how to set up a GitHub Action (you can adapt to other CI services) to run the dependabot-pr-manager script on the first day of every month (at 09:00 UTC) and allow manual triggering via a GitHub button. Additionally, it includes a job to close the Dependabot PRs when the created PR is commented with "[dependabot-pr-manager] close prs".

Create a file named .github/workflows/dependabot-pr-manager.yml in your repository:

name: Group and Close Dependabot PRs

on:
  schedule:
    - cron: '0 9 * * 1' # Runs at 09:00 (UTC) on the first day of every month
  workflow_dispatch: # Allows manual triggering via GitHub button
  issue_comment:
    types: [created]

jobs:
  merge-dependabot-prs:
    if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Set up Node.js
        uses: actions/setup-node@v2
        with:
          node-version: '18'

      - name: Install Yarn
        run: npm install -g yarn

      - name: Install dependencies
        run: yarn install

      - name: Set up Git
        run: |
          git config --global user.name "dependabot[bot]" # change to the user that will merge the PRs
          git config --global user.email "49699333+dependabot[bot]@users.noreply.github.com" # change to the user that will merge the PRs

      - name: Run merge-dependabot-prs
        run: |
          npx merge-dependabot-prs \
            --repoUrl=https://github.com/open-ish/utility.git \
            --combinedBranch=ci/combined-dependabot-updates \
            --mainBranch=main \
            --githubToken=${{ secrets.YOUR_GIT_HUB_TOKEN }} \
            --repoOwner=open-ish \
            --repoName=utility

  close-dependabot-prs:
    if: github.event.issue.pull_request && contains(github.event.comment.body, '[dependabot-pr-manager] close prs')
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Set up Node.js
        uses: actions/setup-node@v2
        with:
          node-version: '18'

      - name: Install Yarn
        run: npm install -g yarn

      - name: Install dependencies
        run: yarn install

      - name: Run close-dependabot-prs
        run: |
          npx close-dependabot-prs \
            --githubToken=${{ secrets.YOUR_GIT_HUB_TOKEN }} \
            --repoOwner=open-ish \
            --repoName=utility

merge-dependabot-prs Job: This job runs the merge-dependabot-prs script to group Dependabot PRs into one.
close-dependabot-prs Job: This job runs the close-dependabot-prs script to close the Dependabot PRs when the pull request created from dependabot-pr-manager be commented with '[dependabot-pr-manager] close prs'.

Enjoy it? Don't forget to like the article and starring the repository! ⭐

Package params

--repoUrl(required): The repository URL;
--combinedBranch(required): The branch that will be created with the combined PRs;
--mainBranch(required): The main branch of the repository;
--githubToken(required): The GitHub token;
--repoOwner(required): The repository owner;
--repoName(required): The repository name;
--installDepsCommand: The command to install the dependencies. Default: yarn install
--filesToCommit: Files to be committed on the pull request. Default: package.json yarn.lock

Examples

See this PR example

Grouping Dependabot PRs

Closing Dependabot PRs after comment [dependabot-pr-manager] close prs

Conclusion

The dependabot-pr-manager library is a nice tool for managing Dependabot PRs in your repositories. By automating the process of grouping and closing PRs, you can save time and ensure that your dependencies are always up to date. Try integrating dependabot-pr-manager into your CI pipeline and share your experience commenting on the article and/or repository.

Top comments (2)

Boopathi • Nov 8

This looks like a great way to streamline Dependabot PR management! Having a single PR for all updates and a way to close them easily sounds super efficient. I'm curious to see how it handles conflicts between different dependency updates.

Tássio • Nov 9

Hey @programmerraja, thanks for your feedback 😊

It runs install script (you define which) just once after collect all required dependencies. So it shouldn't conflict.

DEV Community

Managing Dependabot PRs with dependabot-pr-manager 🤖

What does it do?

How to use it?

Installing

On CI

Package params

Examples

Conclusion

Top comments (2)

Read next

Introducing the DNA-KEY System: Taking the Password Generator to the Next Level! 🔐

Amazon Inspector Explained: Boosting Cloud Security for Your AWS Workloads

Unlock Ultimate Security: How to Use YubiKey (or Any Security Key) for Passwordless Access in Azure Virtual Machines!

Introducing the AWS CDK L2 Construct: Simplified Security for Amazon CloudFront with Origin Access Control (OAC)