Dependabot-core: Auto Merge v2

@UziTech sadly yes, we've got this issue tracking automerging support with a few community-suggested alternatives: https://github.com/dependabot/dependabot-core/issues/1973

Will close this out as duplicate.

@feelepxyz I saw that issue but it is about v1. I am asking about v2

@UziTech ah yes sorry that issue is confusing. Here's the comment reffering to v2 support: https://github.com/dependabot/dependabot-core/issues/1823#issuecomment-641594279

@feelepxyz It seems like the comments about automerging in v2 are spread into issues about other things. I still feel like this isn't a duplicate of any of those since none of those issues are specifically about auto-merge in v2. Some of them are also closed making it harder for a person to find them. I think it would be easier for people to find the reasoning behind the removal if this issue remained open until it is resolved.

Though I feel like a link to this https://github.com/dependabot/dependabot-core/issues/1823#issuecomment-641594279 is good enough for an answer for now.

In case anyone wants the ability to auto merge you can accomplish this with github actions:

The token used must have public_repo permission for public repos or repo permission for private repos to push to the repo so the default secrets.GITHUB_TOKEN won't work.

  ...
  Automerge:
    needs: [Test, Lint]
    runs-on: ubuntu-latest
    if: |
      github.actor == 'dependabot[bot]' &&
      github.event_name == 'pull_request' &&
      startsWith(github.event.pull_request.title, 'chore(deps-dev):')
    steps:
      - name: '@dependabot merge'
        uses: actions/github-script@v2
        with:
          github-token: ${{secrets.GH_TOKEN}}
          script: |
            await github.issues.createComment({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              issue_number: context.payload.pull_request.number,
              body: '@dependabot merge'
            })

@UziTech I'm having trouble with which Personal Access Token scope to use. You said you need either public_repo or push permission. Which scope permission is that (the push permission)?

@Clumsy-Coder If it is a public repo this is all you should need:

There isn't a permission called "push" but any token that is able to push commits should work.

@UziTech I'm using a private repo. Do I need repo permission (and all it's sub permissions)?

Yes I believe repo permission is needed to push to private repos.

@UziTech Thanks. That worked.

It seems like this solution fails with protected branches? (The dependabot user can't be granted access to push to a protected branch.)

@ZebraFlesh you can try using the pascalgn/automerge-action to merge with a user other than dependabot.

@UziTech Thanks, that's an interesting work around. However, I'm not thrilled about consuming yet more Actions minutes because dependabot broke the merge command in v2. I'm going to stick with v1 until this is fixed.

We got the alternative here: https://twitter.com/github/status/1336360682221133827?s=20

Check out auto-merge! Now, when your branch protection rules are met, your changes approved, and your checks are green, GitHub can automatically merge your pull request for you.

@peaceiris Is that a button that you have to push on every pull request? This issue is more about not even having to look at the pull request or need any human interaction for merging dependency updates.

We do not know the details yet. It will start rolling out next week. I hope we can set the auto-merge for a whole repository/account without approval.

According to the roadmap it will be a button that can be pressed when a PR is submitted by a person with push access. I don't think this will do anything for dependabot ☹.

https://github.com/github/roadmap/issues/107