dependabot/fetch-metadataPublic

NotificationsYou must be signed in to change notification settings
Fork102
Star274

Extract information about the dependencies being updated by a Dependabot-generated PR.

License

MIT license

274 stars 102 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Use this GitHub action with your project

Add this Action to an existing workflow or create a new one

View on Marketplace

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 663 Commits
.github		.github
bin		bin
dist		dist
src		src
.env.example		.env.example
.gitattributes		.gitattributes
.gitignore		.gitignore
.npmrc		.npmrc
.nvmrc		.nvmrc
CODEOWNERS		CODEOWNERS
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
LICENSE		LICENSE
README.md		README.md
action.yml		action.yml
eslint.config.mjs		eslint.config.mjs
jest.config.js		jest.config.js
package-lock.json		package-lock.json
package.json		package.json
tsconfig.json		tsconfig.json

Repository files navigation

Fetch Metadata Action

Name:dependabot/fetch-metadata

Extract information about the dependencies being updated by a Dependabot-generated PR.

Usage instructions

Create a workflow file that contains a step that uses:dependabot/fetch-metadata@v2, e.g.

# .github/workflows/dependabot-prs.ymlname:Dependabot Pull Requeston:pull_requestjobs:dependabot:permissions:pull-requests:readruns-on:ubuntu-latestif:github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'steps:    -name:Fetch Dependabot metadataid:dependabot-metadatauses:dependabot/fetch-metadata@v2with:alert-lookup:truecompat-lookup:truegithub-token:"${{ secrets.PAT_TOKEN }}"

Supported inputs are:

github-token (string)
- TheGITHUB_TOKEN secret
- Defaults to${{ github.token }}
- Note: this must be set to apersonal access token (PAT) if you enablealert-lookup orcompat-lookup.
alert-lookup (boolean)
- Iftrue, then populate thealert-state,ghsa-id andcvss outputs.
- Defaults tofalse
- Note: thegithub-token field must be set to apersonal access token (PAT).
compat-lookup (boolean)
- Iftrue, then populate thecompatibility-score output.
- Defaults tofalse
- Note: thegithub-token field must be set to apersonal access token (PAT).
skip-commit-verification (boolean)
- Iftrue, then the action will not expect the commits to have a verification signature.It is required to set this to 'true' in GitHub Enterprise Server
- Defaults tofalse
skip-verification (boolean)
- Iftrue, the action will not validate the user or the commit verification status
- Defaults tofalse

Subsequent actions will have access to the following outputs:

steps.dependabot-metadata.outputs.dependency-names
- A comma-separated list of the package names updated by the PR.
steps.dependabot-metadata.outputs.dependency-type
- The type of dependency has determined this PR to be. Possible values are:direct:production,direct:development andindirect. Seetheallow documentation for descriptions of each.
steps.dependabot-metadata.outputs.update-type
- The highest semver change being made by this PR, e.g.version-update:semver-major. For all possible values, seetheignore documentation.
steps.dependabot-metadata.outputs.updated-dependencies-json
- A JSON string containing the full information about each updated Dependency.
steps.dependabot-metadata.outputs.directory
- Thedirectory configuration that was used by dependabot for this updated Dependency.
steps.dependabot-metadata.outputs.package-ecosystem
- Thepackage-ecosystem configuration that was used by dependabot for this updated Dependency.
steps.dependabot-metadata.outputs.target-branch
- Thetarget-branch configuration that was used by dependabot for this updated Dependency.
steps.dependabot-metadata.outputs.previous-version
- The version that this PR updates the dependency from.
steps.dependabot-metadata.outputs.new-version
- The version that this PR updates the dependency to.
steps.dependabot-metadata.outputs.alert-state
- If this PR is associated with a security alert andalert-lookup istrue, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
steps.dependabot-metadata.outputs.ghsa-id
- If this PR is associated with a security alert andalert-lookup istrue, this contains the GHSA-ID of that alert.
steps.dependabot-metadata.outputs.cvss
- If this PR is associated with a security alert andalert-lookup istrue, this contains the CVSS value of that alert (otherwise it contains 0).
steps.dependabot-metadata.outputs.compatibility-score
- If this PR has a known compatibility score andcompat-lookup istrue, this contains the compatibility score (otherwise it contains 0).
steps.dependabot-metadata.outputs.maintainer-changes
- Whether or not the the body of this PR contains the phrase "Maintainer changes" which is an indicator of whether or not any maintainers have changed.
steps.dependabot-metadata.outputs.dependency-group
- The dependency group that the PR is associated with (otherwise it is an empty string).

Note: By default, these outputs will only be populated if the target Pull Request was opened by Dependabot and containsonly Dependabot-created commits. To override, seeskip-commit-verification /skip-verification.

For workflows initiated by Dependabot (github.actor == 'dependabot[bot]') using thepull_request_target event, if the base ref of the pull request was created by Dependabot (github.event.pull_request.user.login == 'dependabot[bot]'), theGITHUB_TOKEN will be read-only and secrets are not available.

This metadata can be used along with Action'sexpression syntax and theGitHub CLI to createuseful automation for your Dependabot PRs.

Auto-approving

Since thedependabot/fetch-metadata Action will set a failure code if it cannot find any metadata, you canhave a permissive auto-approval on all Dependabot PRs like so:

name:Dependabot auto-approveon:pull_requestpermissions:pull-requests:writejobs:dependabot:runs-on:ubuntu-latest# Checking the author will prevent your Action run failing on non-Dependabot PRsif:github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'steps:      -name:Dependabot metadataid:dependabot-metadatauses:dependabot/fetch-metadata@v2      -uses:actions/checkout@v4      -name:Approve a PR if not already approvedrun:|          gh pr checkout "$PR_URL" # sets the upstream metadata for `gh pr status`          if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];          then gh pr review --approve "$PR_URL"          else echo "PR already approved, skipping additional approvals to minimize emails/notification noise.";          fienv:PR_URL:${{github.event.pull_request.html_url}}GITHUB_TOKEN:${{secrets.GITHUB_TOKEN}}

Enabling auto-merge

If you are usingthe auto-merge feature on your repository,you can set up an action that will enable Dependabot PRs to merge once CI and otherbranch protection rules are met. (Note that you must use apersonal access token (PAT) when executing the merge instruction.)

For example, if you want to automatically merge all patch updates to Rails:

name:Dependabot auto-mergeon:pull_requestpermissions:pull-requests:writecontents:writejobs:dependabot:runs-on:ubuntu-latestif:github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'steps:      -name:Dependabot metadataid:dependabot-metadatauses:dependabot/fetch-metadata@v2      -name:Enable auto-merge for Dependabot PRsif:${{contains(steps.dependabot-metadata.outputs.dependency-names, 'rails') && steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}}run:gh pr merge --auto --merge "${{github.event.pull_request.html_url}}"env:GITHUB_TOKEN:${{secrets.GITHUB_TOKEN}}

Labelling

If you have other automation or triage workflows based on GitHub labels, you can configure an action to assign these based on the metadata.

For example, if you want to flag all production dependency updates with a label:

name:Dependabot auto-labelon:pull_requestpermissions:pull-requests:writeissues:writerepository-projects:writejobs:dependabot:runs-on:ubuntu-latestif:github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'steps:      -name:Dependabot metadataid:dependabot-metadatauses:dependabot/fetch-metadata@v2      -name:Add a label for all production dependenciesif:${{ steps.dependabot-metadata.outputs.dependency-type == 'direct:production' }}run:gh pr edit "${{github.event.pull_request.html_url}}" --add-label "production"env:GITHUB_TOKEN:${{secrets.GITHUB_TOKEN}}

Notes for project maintainers:

📖 Release guide

Dependabot PR's

We expect Dependabot PRs to be passing CI and have any changes to thedist/ folder built for production dependencies
Some development dependencies may fail thedist/ check if they modify the Typescript compilation, these should be updated manually vianpm run build. See thedependabot-build action for details.

Tagging a new release

Publish a new release by running theRelease - Bump Version workflow and following the instructions on the job summary.

In a nutshell the process will be:

Run the action to generate a version bump PR.
Merge the PR.
Tag that merge commit as a new release using the formatv1.2.3. The job summary contains a URL pre-populated with the correct version for the title and tag.
Once the release is tagged, another GitHub Action workflow automatically publishes the new version of the immutable action package for this release.