github.com/skarlso/dependabot-bundler
Readme
Bundler will gather all PRs which were created by app/dependabot user. Then, it will apply go get -u using the
modules in the prs that it found. It will do that instead of using git magic to combine the prs to avoid the following
problems:
Once all updates have been applied, it will create a single commit and a PR.
It doesn't attempt to merge PRs causing various merge conflicts. It will basically just do what dependabot would do but apply it separately as a composite update.
Bundler only ever commits go.mod and go.sum files. It never stages any other changes.
Example running every Friday:
name: Dependabot Bundler
on:
schedule:
- 0 0 * * 5 # every Friday at 00:00
jobs:
bundler:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: 1.18.x
- name: Cache go-build and mod
uses: actions/cache@v2
with:
path: |
~/.cache/go-build/
~/go/pkg/mod/
key: go-${{ hashFiles('go.sum') }}
restore-keys: |
go-
- name: Install Dependabot Bundler
run: |
go install github.com/Skarlso/dependabot-bundler@v0.0.3
- name: Run Dependabot Bundler
run: |
dependabot-bundler --token ${{ secrets.GITHUB_TOKEN }} --repo test --owner Skarlso
If everything goes well, it should result in a PR like this:
This is an actual PR located here which was created with dependabot-bundler and merged.
Dependabot can apply labels to the created PR such as:
- name: Run Dependabot Bundler
run: |
dependabot-bundler --token ${{ secrets.GITHUB_TOKEN }} --repo test --owner Skarlso --labels bug,duplicate
Which will result in a PR like this:
Dependabot Bundler is now able to bundle GitHub actions updates as well.
If there are PRs which update the version of GitHub actions, bundler will now take those updates as well and apply them to the created PR.
Dependabot Bundler is now available as a GitHub Action. To use it, simple include it as follows:
- name: dependabot-bundler
uses: skarlso/dependabot-bundler@v0.0.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
repo: 'This repo'
owner: 'Me'
To sign a commit made by the bundler call it with the following parameters:
dependabot-bundler \
--token ${{ secrets.GITHUB_TOKEN }} \
--repo test \
--owner owner \
--signing-public-key "${{ secrets.GPG_SIGN }}" \
--signing-private-key "${{ secrets.GPG_SECRET_SIGN }}" \
--signing-key-passphrase "${{ secrets.GPG_KEY_PASSPHRASE }}" \
--signing-name <sign-name> \
--signing-email <sign-email> \
--author-name <author-name> \
--author-email <author-email>
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A hospital in Mobile, Alabama, agreed to a settlement in a landmark ransomware death lawsuit, but is now reportedly reconsidering the agreement and refusing to pay.
Security News
A new report explores how advancements in LLMs are enhancing cyber threats, including polymorphic malware, personalized spearphishing, and the risk of hijacking customer service bots.
Security News
ESLint has approved an RFC that adds support for TypeScript configuration files, which is aimed at improving the developer experience and recognizing changes in the evolving JavaScript ecosystem.