通过 GitHub Actions 自动化 Dependabot

如何使用 GitHub Actions 来自动执行常见 Dependabot 相关任务的示例。

People with write permissions to a repository can configure GitHub Actions to respond to Dependabot-created pull requests.

关于 Dependabot 与 GitHub Actions

Dependabot 创建拉动请求以保持依赖项的最新状态,并且当创建这些拉取请求时,您可以使用 GitHub Actions 执行自动任务。 例如,获取其他构件、添加标签、运行测试或修改拉取请求。

响应事件

Dependabot is able to trigger GitHub Actions workflows on its pull requests and comments; however, certain events are treated differently.

对于 Dependabot (github.actor == "dependabot[bot]") 使用 pull_requestpull_request_reviewpull_request_review_commentpush 事件发起的工作流程,适用以下限制:

  • GITHUB_TOKEN has read-only permissions by default.
  • Secrets are populated from Dependabot secrets. GitHub Actions secrets are not available.

更多信息请参阅“保持 GitHub Actions 和工作流程安全:阻止 pwn 请求”。

Changing GITHUB_TOKEN permissions

By default, GitHub Actions workflows triggered by Dependabot get a GITHUB_TOKEN with read-only permissions. You can use the permissions key in your workflow to increase the access for the token:

name: CI
on: pull_request

# Set the access for individual scopes, or use permissions: write-all
permissions:
  pull-requests: write
  issues: write
  repository-projects: write
  ...

jobs:
  ...

更多信息请参阅“修改 GITHUB_TOKEN 的权限”。

访问密钥

When a Dependabot event triggers a workflow, the only secrets available to the workflow are Dependabot secrets. GitHub Actions secrets are not available. Consequently, you must store any secrets that are used by a workflow triggered by Dependabot events as Dependabot secrets. 更多信息请参阅“管理 Dependabot 的加密密码”。

Dependabot secrets are added to the secrets context and referenced using exactly the same syntax as secrets for GitHub Actions. 更多信息请参阅“加密密码”。

If you have a workflow that will be triggered by Dependabot and also by other actors, the simplest solution is to store the token with the permissions required in an action and in a Dependabot secret with identical names. Then the workflow can include a single call to these secrets. If the secret for Dependabot has a different name, use conditions to specify the correct secrets for different actors to use. For examples that use conditions, see "Common automations" below.

To access a private container registry on AWS with a user name and password, a workflow must include a secret for username and password. In the example below, when Dependabot triggers the workflow, the Dependabot secrets with the names READONLY_AWS_ACCESS_KEY_ID and READONLY_AWS_ACCESS_KEY are used. If another actor triggers the workflow, the actions secrets with those names are used.

name: CI
on:
  pull_request:
    branches: [ main ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Login to private container registry for dependencies
        uses: docker/login-action@v1
        with:
          registry: https://1234567890.dkr.ecr.us-east-1.amazonaws.com
          username: ${{ secrets.READONLY_AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.READONLY_AWS_ACCESS_KEY }}

      - name: Build the Docker image
        run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)

手动重新运行工作流程

您还可以手动重新运行失败的 Dependabot 工作流程,它将以读写令牌运行并访问密码。 在手动重新运行失败的工作流程之前,您应始终检查更新的依赖项,以确保更改不会引入任何恶意或意外行为。

常用 Dependabot 自动化

以下是可以使用 GitHub Actions 自动化的几个常见场景。

获取有关拉取请求的元数据

大量自动化需要了解拉取请求内容的信息:依赖项名称是什么,是否为生产依赖项,以及是否为主要、次要或补丁更新。

dependabot/fetch-metadata 操作为您提供所有这些信息:

name: Dependabot fetch metadata
on: pull_request

permissions:
  pull-requests: write
  issues: write
  repository-projects: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      # The following properties are now available:
      #  - steps.metadata.outputs.dependency-names
      #  - steps.metadata.outputs.dependency-type
      #  - steps.metadata.outputs.update-type      

更多信息请参阅 dependabot/fetch-metadata 仓库。

标记拉取请求

如果您有基于 GitHub 标签的其他自动化或分类工作流程,则可以配置操作以根据提供的元数据分配标签。

例如,如果您想用标签标记所有生产依赖项更新:

name: Dependabot auto-label
on: pull_request

permissions:
  pull-requests: write
  issues: write
  repository-projects: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Add a label for all production dependencies
        if: ${{ steps.metadata.outputs.dependency-type == 'direct:production' }}
        run: gh pr edit "$PR_URL" --add-label "production"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}

批准拉取请求

如果您想要自动批准 Dependabot 拉取请求,您可以在工作流程中使用 GitHub CLI:

name: Dependabot auto-approve
on: pull_request

permissions:
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Approve a PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

在拉取请求上启用自动合并

如果您要自动合并拉取请求,可以使用 GitHub 的自动合并功能。 这样,当所有所需的测试和批准都成功满足时,拉取请求即可合并。 For more information on auto-merge, see "Automatically merging a pull request"."

这是为所有补丁更新启用自动合并到 my-dependency 的示例:

name: Dependabot auto-merge
on: pull_request

permissions:
  pull-requests: write
  contents: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

失败的工作流程运行故障排除

如果您的工作流程运行失败,请检查以下情况:

  • 只有当正确的角色触发工作流程时,才运行工作流程。
  • 您在为 pull_request 检出正确的 ref
  • Your secrets are available in Dependabot secrets rather than as GitHub Actions secrets.
  • You have a GITHUB_TOKEN with the correct permissions.

有关编写和调试 GitHub Actions 的信息,请参阅“了解 GitHub Actions”。

此文档对您有帮助吗?

隐私政策

帮助我们创建出色的文档!

所有 GitHub 文档都是开源的。看到错误或不清楚的内容了吗?提交拉取请求。

做出贡献

或者, 了解如何参与。