Update dependabot autocommit script and job #416
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Use an app for the source of the token Rather than issuing a merge command to dependabot set the PR to auto squash Signed-off-by: Simon Davies <[email protected]>
simongdavies
added
the
kind/dependencies
ludfjig
approved these changes
Apr 14, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The implementation of the script that automatically approves dependabot PRs relied on issuing commands to dependabot by using comments in the PR such as
@dependabot merge, this result in a comment in the PRSorry, only users with push access can use that command.I attempted to fix this by creating a GitHub App, giving it the correct permissions and then using an app installation token in the workflow , however this did not work either as it turns out that dependabot checks to see if the token belongs to a real user with push access to the repo when these commands are issued.
I resolved the issue by setting auto approve squash on the PR rather than use dependabot commands, I decided to leave the change that uses the app token for 2 reasons, firstly it means that the actions that the job takes are clear in the PR history (as they show up as dependabot-pr-auto-approver) , second the token in limited to the permissions required by the job and cannot obtain any other permissions unless the app is updated.