The purpose of this workflow is to auto-merge pull requests generated by Dependabot.
This workflow is triggered once the build-test-package workflow completes but will only execute if it was triggered by the dependabot[bot] actor. The flow is as follows:
- Pull request generated.
build-test-packageworkflow is triggered.- Once
build-test-packageworkflow completes, this workflow is triggered. - If the actor is not
dependabot[bot]then the workflow terminates. Else, it sets the pull request to auto-merge. - The pull request gets merged once all the required status checks pass.
Note that when this workflow is triggered, its actor will be the actor that triggered the build-test-package workflow.
The Dependabot configuration file contains additional configuration for Dependabot.
Note that for pull requests to automatically be merged the conditions described in Enable Auto-Merge for PR in Github Action must be met.
To be able to delete branches using the flag --delete-branch from gh pr merge, a checkout of the repo is done before or else the command fails because GitHub's CLI tries to delete both the remote and local branch.
Without the checkout step the gh pr merge command successfully deletes the remote branch, but it fails to delete the local branch and the workflow fails.
On the Dependabot configuration file some NuGets are ignored because the project where they are used target multiple target frameworks and different target frameworks require different versions of the NuGet package.
Dependabot does not know that handle this well and as such the excluded NuGets needs to be manually updated for each target framework.
As per the docs:
Dependabot is able to trigger GitHub Actions workflows on its pull requests and comments; however, due to "GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions", certain events are treated differently.
For workflows initiated by Dependabot (github.actor == "dependabot[bot]") using the pull_request, pull_request_review, pull_request_review_comment, and push events, the following restrictions apply:
- GITHUB_TOKEN has read-only permissions.
- Secrets are inaccessible.
Given the above restrictions, the action to auto merge Dependabot PRs couldn't be done as part of the main build-test-package workflow without potentially introducing security vulnerabilities. Even if security wasn't an issue, the PRs from forked repos would fail when the workflow tried to set the auto-merge for the pull request because the GITHUB_TOKEN would only have read-only permissions.
With a separate dependabot-auto-merge-pr workflow which runs in a priviliged context, the above is not a problem.
For more information see:
- Security considerations on GitHub workflows
- Security considerations on GitHub workflows regarding dotnet CLI
The dependabot/fetch-metadata can be used to extract information about the dependencies being updated by a Dependabot generated PR. The output from that action could be stored as a workflow artifact if the information is required by a priviliged workflow.