dependabot-bundler

command module
v0.0.17 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 25, 2023 License: Apache-2.0 Imports: 2 Imported by: 0

README

Dependabot bundler

Bundler will gather all PRs which were created by app/dependabot user. Then, it will apply go get -u using the modules in the prs that it found. It will do that instead of using git magic to combine the prs to avoid the following problems:

  • merge conflicts
  • dependencies getting out of sync ( something updating to x while the next downgrades it to y or vica-versa )
  • dependency chain conflicts

Once all updates have been applied, it will create a single commit and a PR.

It doesn't attempt to merge PRs causing various merge conflicts. It will basically just do what dependabot would do but apply it separately as a composite update.

Bundler only ever commits go.mod and go.sum files. It never stages any other changes.

Example running every Friday:

name: Dependabot Bundler

on:
  schedule:
    - 0 0 * * 5 # every Friday at 00:00

jobs:
  bundler:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.18.x
      - name: Cache go-build and mod
        uses: actions/cache@v2
        with:
          path: |
            ~/.cache/go-build/
            ~/go/pkg/mod/
          key: go-${{ hashFiles('go.sum') }}
          restore-keys: |
            go-          
      - name: Install Dependabot Bundler
        run: |
          go install github.com/Skarlso/dependabot-bundler@v0.0.3
      - name: Run Dependabot Bundler
        run: |
          dependabot-bundler --token ${{ secrets.GITHUB_TOKEN }} --repo test --owner Skarlso

If everything goes well, it should result in a PR like this:

pr1

This is an actual PR located here which was created with dependabot-bundler and merged.

pr2

Dependabot can apply labels to the created PR such as:

      - name: Run Dependabot Bundler
        run: |
          dependabot-bundler --token ${{ secrets.GITHUB_TOKEN }} --repo test --owner Skarlso --labels bug,duplicate

Which will result in a PR like this:

pr3

Updating GitHub Actions

Dependabot Bundler is now able to bundle GitHub actions updates as well.

If there are PRs which update the version of GitHub actions, bundler will now take those updates as well and apply them to the created PR.

pr4

Use it as GitHub Action

Dependabot Bundler is now available as a GitHub Action. To use it, simple include it as follows:

- name: dependabot-bundler
  uses: skarlso/dependabot-bundler@v0.0.1
  with:
    token: ${{ secrets.GITHUB_TOKEN }}
    repo: 'This repo'
    owner: 'Me'

Commit signing

To sign a commit made by the bundler call it with the following parameters:

        dependabot-bundler \
          --token ${{ secrets.GITHUB_TOKEN }} \
          --repo test \
          --owner owner \
          --signing-public-key "${{ secrets.GPG_SIGN }}" \
          --signing-private-key "${{ secrets.GPG_SECRET_SIGN }}" \
          --signing-key-passphrase "${{ secrets.GPG_KEY_PASSPHRASE }}" \
          --signing-name <sign-name> \
          --signing-email <sign-email> \
          --author-name <author-name> \
          --author-email <author-email>

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
pkg
api
api/fakes
Code generated by counterfeiter.
 Code generated by counterfeiter.
logger
providers
providers/fakes
Code generated by counterfeiter.
 Code generated by counterfeiter.
providers/ghaupdater
providers/mupdater
providers/pgp
providers/runner

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.