Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Goodbye Dependabot, Hello Batch Dependency Updates #27

Closed
swyxio opened this issue Feb 5, 2022 · 2 comments
Closed

Goodbye Dependabot, Hello Batch Dependency Updates #27

swyxio opened this issue Feb 5, 2022 · 2 comments
Labels
Published

Comments

@swyxio
Copy link
Owner

swyxio commented Feb 5, 2022
edited

tags: dx, github

swyxkit depends on alpha software, primarily sveltekit, but also has a dozen more dependencies that move on a fairly frequent basis. The problem of keeping dependencies up to date is a pressing one.

The usual answer to this is Dependabot, which is available as a one click setting inside of GitHub. However, it generates a new PR per dependency update, which usually gets fairly annoying.

Fred Schott from Astro recently tweeted about how they do nightly lockfile updates, which seems like a much smarter solution: https://twitter.com/FredKSchott/status/1489287560387956736

I adapted it to make it weekly, and figured I'd share the process.

Step 1 - Add a new GitHub Action.

Pretty much just create a file like this one, GH actions are so easy to make. I modified the cron syntax to only run once a week to limit the amount of updates going on.

name: 'Nightly'

on:
  schedule:
    # Runs at 12:00 UTC on Fri.
    - cron:  '0 12 * * 5'
  workflow_dispatch:

jobs:
  lockfile:
    if: github.repository_owner == 'sw-yx'
    runs-on: ubuntu-latest
    steps:
      
      - name: Check out code using Git
        uses: actions/checkout@v2
      
      - name: Set Node version to 16
        uses: actions/setup-node@v2
        with:
          node-version: 16
          cache: 'npm'
      
      - name: Clear lockfile
        run: rm -rf package-lock.json node_modules 
      
      - name: Install dependencies
        run: npm install --ignore-engines --ignore-scripts
      
      - name: Create Pull Request
        id: createpr
        uses: peter-evans/create-pull-request@v3
        with:
          token: ${{ secrets.NIGHTLY_PERSONAL_GITHUB_TOKEN }}
          commit-message: '[ci] update lockfile'
          title: '[ci] update lockfile'
          body: >
            This PR is auto-generated by a nightly GitHub action. 
            It should automatically be merged if tests pass.
      
      - name: Mark Pull Request for Auto-Merge
        if: steps.createpr.outputs.pull-request-operation == 'created'
        uses: peter-evans/enable-pull-request-automerge@v1
        with:
          token: ${{ secrets.NIGHTLY_PERSONAL_GITHUB_TOKEN }}
          pull-request-number: ${{ steps.createpr.outputs.pull-request-number }}
          merge-method: squash

Step 2 - create your token

Notice that the script depends on a NIGHTLY_PERSONAL_GITHUB_TOKEN variable. You can create it here: https://github.com/settings/tokens

image

and enter it here in your project

image
@atuttle
Copy link

atuttle commented Feb 8, 2022

Is there an approach that would allow you to require checks and tests to pass before auto-merging? This doesn't bother me as-is for something like a blog, but seems a bit dangerous to add to my company's product.

@swyxio
Copy link
Owner Author

swyxio commented Feb 8, 2022
edited

i think that's a function of you setting up your CI correctly rather than anything to do with this setup - if your checks and tests dont pass, github would refuse to automerge, thats basically the definition of CI

@swyxio swyxio closed this as completed Feb 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Published
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atuttle @swyxio