Maintenance: Enable auto-merge for dependabot

[bahrmichael]

Description of the feature request

Problem statement

Today dependabot PRs require manual approval, which consists of checking if the PR builds succeeded and then merging the changes.

Summary of the feature

By enabling auto-merge for a dependabot pull requests we can reduce the required maintenance time, and focus our time on more creative tasks.

To auto-merge your pull requests, we can use GitHub's auto-merge functionality. This enables the pull request to be merged when all required tests and approvals are successfully met.

The auto-merge functionality lets us configure under which conditions we want to enable auto-merge. This lets us start with a list of trusted dependencies (e.g. aws-sdk) and a certain version type (e.g. patch). The example below limits auto-merge to patches of aws-sdk.

      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.metadata.outputs.dependency-names, 'aws-sdk') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}

Auto-merge requires permissions to write to PRs, as shown below:

permissions:
  pull-requests: write
  contents: write

Code examples

Below is an example that I copied from the Github docs and switched the trusted library to aws-sdk. I did not dive deep into the step Dependabot metadata yet.

name: Dependabot auto-merge
on: pull_request_target

permissions:
  pull-requests: write
  contents: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.0
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.metadata.outputs.dependency-names, 'aws-sdk') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Benefits for you and the wider AWS community

Maintainers spend less time on chores, and have more time to engage with the community.

Describe alternatives you've considered

I have not yet investigated alternatives, as this seems to be the recommended approach for Github.

With this issue I am not suggesting that we should enable the auto-merge feature through the GitHub UI.

Additional context

None yet.

Related issues, RFCs

None yet.

[alan-churley]

I think that the new permisions on dependabot PRs would make this more difficult as the workflow will only have read only permission, so would not be able to do the merge

(https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/)

[dreamorosi]

I agree that it'd reduce the maintenance load but not sure if the risk we'd introducing is worth the benefit.

Second @alan-churley opinion. There's a way of giving more privileges to the workflow but we should be careful as it exposes the repository to pwn requests. The main question here is do we trust dependabot enough to auto-merge whatever throws at us?

TL;DR: Combining pull_request_target workflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.

[pankajagrawal16]

This is automated in java repo https://github.com/awslabs/aws-lambda-powertools-java if you want to take inspiration from.

It works based on githubs new permission model.

As long as the build steps i.e. test cases pass, we merge the PR. It should be pretty safe trusting our own automated tests I think and saves us from alot of effort of manually merging PR.s

[bahrmichael]

Resolved by #169

[github-actions]

⚠️ COMMENT VISIBILITY WARNING ⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.