GitHub - dependabot/fetch-metadata: Extract information about the dependencies being updated by a Dependabot-generated PR. (original) (raw)
Fetch Metadata Action
Name: dependabot/fetch-metadata
Extract information about the dependencies being updated by a Dependabot-generated PR.
Usage instructions
Create a workflow file that contains a step that uses: dependabot/fetch-metadata@v3, e.g.
.github/workflows/dependabot-prs.yml
name: Dependabot Pull Request on: pull_request jobs: dependabot: permissions: pull-requests: read runs-on: ubuntu-latest if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' steps: - name: Fetch Dependabot metadata id: dependabot-metadata uses: dependabot/fetch-metadata@v3 with: alert-lookup: true compat-lookup: true github-token: "${{ secrets.PAT_TOKEN }}"
Supported inputs are:
github-token(string)- The
GITHUB_TOKENsecret - Defaults to
${{ github.token }} - Note: this must be set to a personal access token (PAT) or an installation access token (App Token) if you enable
alert-lookuporcompat-lookup.
- The
alert-lookup(boolean)- If
true, then populate thealert-state,ghsa-idandcvssoutputs. - Defaults to
false - Note: the
github-tokenfield must be set to a personal access token (PAT) or an installation access token (App Token). For more details, see this
- If
compat-lookup(boolean)- If
true, then populate thecompatibility-scoreoutput. - Defaults to
false - Note: the
github-tokenfield must be set to a personal access token (PAT).
- If
skip-commit-verification(boolean)- If
true, then the action will not expect the commits to have a verification signature. It is required to set this to 'true' in GitHub Enterprise Server - Defaults to
false
- If
skip-verification(boolean)- If
true, the action will not validate the user or the commit verification status - Defaults to
false
- If
Subsequent actions will have access to the following outputs:
steps.dependabot-metadata.outputs.dependency-names- A comma-separated list of the package names updated by the PR.
steps.dependabot-metadata.outputs.dependency-type- The type of dependency has determined this PR to be. Possible values are:
direct:production,direct:developmentandindirect. See the allow documentation for descriptions of each.
- The type of dependency has determined this PR to be. Possible values are:
steps.dependabot-metadata.outputs.update-type- The highest semver change being made by this PR, e.g.
version-update:semver-major. For all possible values, see the ignore documentation.
- The highest semver change being made by this PR, e.g.
steps.dependabot-metadata.outputs.updated-dependencies-json- A JSON string containing the full information about each updated Dependency.
steps.dependabot-metadata.outputs.directory- The
directoryconfiguration that was used by dependabot for this updated Dependency.
- The
steps.dependabot-metadata.outputs.package-ecosystem- The
package-ecosystemconfiguration that was used by dependabot for this updated Dependency.
- The
steps.dependabot-metadata.outputs.target-branch- The
target-branchconfiguration that was used by dependabot for this updated Dependency.
- The
steps.dependabot-metadata.outputs.previous-version- The version that this PR updates the dependency from.
steps.dependabot-metadata.outputs.new-version- The version that this PR updates the dependency to.
steps.dependabot-metadata.outputs.alert-state- If this PR is associated with a security alert and
alert-lookupistrue, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
- If this PR is associated with a security alert and
steps.dependabot-metadata.outputs.ghsa-id- If this PR is associated with a security alert and
alert-lookupistrue, this contains the GHSA-ID of that alert.
- If this PR is associated with a security alert and
steps.dependabot-metadata.outputs.cvss- If this PR is associated with a security alert and
alert-lookupistrue, this contains the CVSS value of that alert (otherwise it contains 0).
- If this PR is associated with a security alert and
steps.dependabot-metadata.outputs.compatibility-score- If this PR has a known compatibility score and
compat-lookupistrue, this contains the compatibility score (otherwise it contains 0).
- If this PR has a known compatibility score and
steps.dependabot-metadata.outputs.maintainer-changes- Whether or not the the body of this PR contains the phrase "Maintainer changes" which is an indicator of whether or not any maintainers have changed.
steps.dependabot-metadata.outputs.dependency-group- The dependency group that the PR is associated with (otherwise it is an empty string).
Note: By default, these outputs will only be populated if the target Pull Request was opened by Dependabot and containsonly Dependabot-created commits. To override, see skip-commit-verification / skip-verification.
This metadata can be used along with Action's expression syntax and the GitHub CLI to create useful automation for your Dependabot PRs.
Note
Workflows triggered by Dependabot on the pull_request event run with a read-only GITHUB_TOKEN and cannot access user-defined repository or organization secrets. The GitHub-provided token is still available, but only with read-only permissions (prefer github.token when referring to that built-in token in examples). If your workflow needs write permissions or access to user-defined secrets, use the pull_request_target event or a separate workflow triggered by workflow_run. The examples below use pull_request_target for this reason.
Auto-approving
Since the dependabot/fetch-metadata Action will set a failure code if it cannot find any metadata, you can have a permissive auto-approval on all Dependabot PRs like so:
Note
The GITHUB_TOKEN approval will come from the github-actions[bot] user. If your branch protection rules use "Require approval of the most recent reviewable push"or restrict which users/teams can provide approving reviews, this approval may not satisfy your merge requirements. In those cases, consider using a PATor GitHub App token instead, but store that credential as a secret, grant it the least privilege needed, and do not expose it to untrusted or PR-controlled code paths. This is especially important for workflows triggered by pull_request_target: do not make such secrets available to steps that run code from the pull request.
name: Dependabot auto-approve
on: pull_request_target
permissions:
pull-requests: write
jobs:
dependabot:
runs-on: ubuntu-latest
# Checking the author will prevent your Action run failing on non-Dependabot PRs
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v3
- uses: actions/checkout@v4
- name: Approve a PR if not already approved
run: |
gh pr checkout "$PR_URL" # sets the upstream metadata for gh pr status
if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
then gh pr review --approve "$PR_URL"
else echo "PR already approved, skipping additional approvals to minimize emails/notification noise.";
fi
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
Enabling auto-merge
If you are using the auto-merge feature on your repository, you can set up an action that will enable Dependabot PRs to merge once CI and other branch protection rules are met. Enabling auto-merge requires write permissions on the repository. When using pull_request_target, the GITHUB_TOKEN has read/write access and satisfies this requirement when configured with contents: write and pull-requests: write.
For example, if you want to automatically merge all patch updates to Rails:
name: Dependabot auto-merge on: pull_request_target permissions: pull-requests: write contents: write jobs: dependabot: runs-on: ubuntu-latest if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' steps: - name: Dependabot metadata id: dependabot-metadata uses: dependabot/fetch-metadata@v3 - name: Enable auto-merge for Dependabot PRs if: ${{contains(steps.dependabot-metadata.outputs.dependency-names, 'rails') && steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}} run: gh pr merge --auto --merge "${{github.event.pull_request.html_url}}" env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
Labelling
If you have other automation or triage workflows based on GitHub labels, you can configure an action to assign these based on the metadata.
For example, if you want to flag all production dependency updates with a label:
name: Dependabot auto-label on: pull_request_target permissions: pull-requests: write issues: write repository-projects: write jobs: dependabot: runs-on: ubuntu-latest if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' steps: - name: Dependabot metadata id: dependabot-metadata uses: dependabot/fetch-metadata@v3 - name: Add a label for all production dependencies if: ${{ steps.dependabot-metadata.outputs.dependency-type == 'direct:production' }} run: gh pr edit "${{github.event.pull_request.html_url}}" --add-label "production" env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
Use with App Token
First, create a GitHub App and set the appropriate permissions.
For example, to use the features below, the minimum permissions required for the GitHub App are as follows:
alert-lookup:Dependabot alerts: Read only
Please add any necessary permissions for your job as needed.
The following is an example of using an installation access token (App Token) in github-token.
on: pull_request jobs: dependabot: runs-on: ubuntu-latest if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' steps: - uses: actions/create-github-app-token@v2 id: app-token with: # Store these as repository or organization GitHub Dependabot secrets # (e.g. Settings → Secrets and variables → Dependabot → GH_APP_ID, GH_APP_PRIVATE_KEY) app-id: ${{ secrets.GH_APP_ID }} # GitHub App ID private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} # GitHub App Private key
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v3
with:
github-token: ${{ steps.app-token.outputs.token }}
alert-lookup: trueNotes for project maintainers:
📖 Release guide
- We expect Dependabot PRs to be passing CI and have any changes to the
dist/folder built for production dependencies - Some development dependencies may fail the
dist/check if they modify the TypeScript compilation, these should be updated manually vianpm run build. See the dependabot-build action for details.
Tagging a new release
Publish a new release by running the Release - Bump Version workflow and following the instructions on the job summary.
In a nutshell the process will be:
- Run the action to generate a version bump PR.
- Merge the PR.
- Tag that merge commit as a new release using the format
v1.2.3. The job summary contains a URL pre-populated with the correct version for the title and tag. - Once the release is tagged, another GitHub Action workflow automatically publishes the new version of the immutable action package for this release.