go-grpc-http1 icon indicating copy to clipboard operation
go-grpc-http1 copied to clipboard
verified publisher icon stackrox

Have roxbot deal with dependabot updates

Open RTann opened this issue 1 year ago • 3 comments

Manually handling dependabot updates is annoying, and we tend to just blindly accept the updates anyway. Perhaps we should consider adding roxbot to this repo and having it take care of it for us. Thoughts @stackrox/maple ?

RTann avatar Mar 06 '24 20:03 RTann

Yes, that makes sense to add a bot to do that. However, we do not accept fully blindly the updates, I guess, we all check whether CI is happy. How can we onboard the bot to auto merge dependabot PRs that pass the CI?

vikin91 avatar Mar 25 '24 11:03 vikin91

Hmm. Maybe we can check in with @janisz, as he just introduced auto-retest for our own PRs. Maybe he has an idea? https://redhat-internal.slack.com/archives/CELUQKESC/p1711124692089649

Maddosaurus avatar Mar 25 '24 12:03 Maddosaurus

To auto-merge dependabot PR's when all checks are passing just add this action and it should handle that. https://github.com/stackrox/jenkins-plugin/blob/master/.github/workflows/auto-merge.yml

name: auto-merge

on:
  pull_request_target:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
    - uses: ahmadnassri/[email protected]
      with:
        github-token: '${{ secrets.RHACS_BOT_GITHUB_TOKEN }}'
        command: "squash and merge"
        approve: true
        target: minor

janisz avatar Mar 25 '24 12:03 janisz

Let's try it: https://github.com/stackrox/go-grpc-http1/pull/192

vikin91 avatar Apr 10 '24 07:04 vikin91