This guide provides detailed instructions for setting up Dependabot version updates, along with automatic approval and merging of Dependabot pull requests in a GitHubGitHub GitHub is a website that offers online implementation of git repositories that can easily be shared, copied and modified by other developers. Public repositories are free to host, private repositories require a paid subscription. GitHub introduced the concept of the ‘pull request’ where code changes done in branches by contributors can be reviewed and discussed before being merged be the repository owner. https://github.com/ repository belonging to the WP Training Team GitHub organization.
This guide is only required for any GitHub repositories that don’t already have these files.
Overview
This setup includes three components:
- Dependabot Configuration (
.github/dependabot.yml) – Monitors dependencies and creates pull requests when updates are available - Auto-Approve Workflow (
.github/workflows/dependabot-auto-approve.yml) – Automatically approves Dependabot pull requests - Auto-Merge Workflow (
.github/workflows/dependabot-auto-merge.yml) – Automatically enables auto-merge for Dependabot pull requests
To see these files in action, you can refer to the Plugin developer repository.
Preparation
Prerequisites
- A GitHub account
- GitGit Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. Git is easy to learn and has a tiny footprint with lightning fast performance. Most modern plugin and theme development is being done with this version control system. https://git-scm.com/. installed on your local machine
Finding the next available repository
- Open the WP Training Team Repositories sheet
- Select a repository to check (has no assigned user or status)
- Add your WordPress.org profile name under the Contributor profile name column
- Change the status to Open
- Click on the Repository URLURL A specific web address of a website or web page on the Internet, such as a website’s URL www.wordpress.org to open the GitHub repository
Determine if the repository uses npm, Composer, or both
Check the repository for the presence of package.json files (indicating npm dependencies) and/or composer.json files (indicating Composer dependencies). This will help you decide which configurations to include in the dependabot.yml file. Also check any subdirectories for these files.
If none of these files are present, the repository may not require Dependabot configuration. If this is the case, open the WP Training Team Repositories sheet, change the status to Checked, and try another repository.
Determine the GitHub user to assign workflows to
The auto-merge and auto-approve workflows require the PR to be assigned to a single GitHub user. For the purposes of these workflows, you can either use the person who has committed the most code to the repository, or committed code the most recently. You can find this information by navigating to the repository on GitHub, clicking on the “Insights” tab, and then selecting “Contributors” from the left sidebarSidebar A sidebar in WordPress is referred to a widget-ready area used by WordPress themes to display information that is not a part of the main content. It is not always a vertical column on the side. It can be a horizontal rectangle below or above the content area, footer, header, or any where in the theme..
If you are not sure, check with one of the Training Team reps.
Getting Started
Step 1: Fork the Repository
- Navigate to the repository on GitHub where you want to add these configurations
- Click the Fork button in the top-right corner
- Select your GitHub account as the destination for the fork
Step 2: Clone Your Fork Locally
git clone https://github.com/YOUR_USERNAME/REPOSITORY_NAME.git
cd REPOSITORY_NAMEReplace YOUR_USERNAME with your GitHub username and REPOSITORY_NAME with the name of the repository.
Step 3: Create a New Branch
git checkout -b add-dependabot-workflowsYou can use any descriptive branch name you prefer.
Creating the Dependabot Configuration
Step 1: Create the .github Directory (if it doesn’t exist)
mkdir -p .githubStep 2: Create the dependabot.yml File
Create a new file at .github/dependabot.yml:
touch .github/dependabot.ymlStep 3: Add the Configuration
Open .github/dependabot.yml in your text editor and add the appropriate configuration based on your dependency type (see Examples section below).
Examples for Different Dependency Types
Important Notes:
- When specifying the directory, make sure to adjust the path according to where your dependency files are located in your repository. For example, if your
package.jsonorcomposer.jsonfiles are in the root directory, use"/". If they are in a subdirectory, specify that path (e.g.,"/subdirectory-name"). - Under the
assigneessection, replaceGITHUB_USERNAMEwith the GitHub username of the person you determined in the preparation step.
Example 1: npm Dependencies Only
If your repository has npm dependencies (i.e., package.json files), use this configuration in .github/dependabot.yml:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
# Enable version updates for npm
- package-ecosystem: "npm"
# Look for `package.json` and `lock` files in the root directory
directory: "/"
# Check the npm registry for updates every week
schedule:
interval: "weekly"
# Raise all npm pull requests with assignees
assignees:
- "GITHUB_USERNAME"For npm dependencies in subdirectories, add additional update blocks:
version: 2
updates:
# Enable version updates for npm in the root directory
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
assignees:
- "GITHUB_USERNAME"
# Enable version updates for npm in a subdirectory
- package-ecosystem: "npm"
directory: "/subdirectory-name"
schedule:
interval: "weekly"
assignees:
- "GITHUB_USERNAME"Example 2: Composer Dependencies Only
If your repository has composer dependencies (i.e., composer.json files), use this configuration in .github/dependabot.yml:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
# Enable version updates for composer
- package-ecosystem: "composer"
# Look for `composer.json` and `composer.lock` files in the root directory
directory: "/"
# Check for updates every week
schedule:
interval: "weekly"
# Raise all composer pull requests with assignees
assignees:
- "GITHUB_USERNAME"Example 3: Both npm and Composer Dependencies
If your repository has both npm and composer dependencies, combine both configurations in .github/dependabot.yml:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
# Enable version updates for npm
- package-ecosystem: "npm"
# Look for `package.json` and `lock` files in the root directory
directory: "/"
# Check the npm registry for updates every week
schedule:
interval: "weekly"
# Raise all npm pull requests with assignees
assignees:
- "GITHUB_USERNAME"
# Enable version updates for composer
- package-ecosystem: "composer"
# Look for `composer.json` and `composer.lock` files in the root directory
directory: "/"
# Check for updates every week
schedule:
interval: "weekly"
# Raise all composer pull requests with assignees
assignees:
- "GITHUB_USERNAME"For multiple directories with different package managers, you can mix and match:
version: 2
updates:
# npm in subdirectory 1
- package-ecosystem: "npm"
directory: "/subdirectory-1"
schedule:
interval: "weekly"
assignees:
- "GITHUB_USERNAME"
# npm in subdirectory 2
- package-ecosystem: "npm"
directory: "/subdirectory-2"
schedule:
interval: "weekly"
assignees:
- "GITHUB_USERNAME"
# Composer in root directory
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "weekly"
assignees:
- "GITHUB_USERNAME"Creating the Auto-Approve Workflow
Step 1: Create the Workflows Directory (if it doesn’t exist)
mkdir -p .github/workflowsStep 2: Create the Auto-Approve Workflow File
Create a new file at .github/workflows/dependabot-auto-approve.yml:
touch .github/workflows/dependabot-auto-approve.ymlStep 3: Add the Workflow Configuration
Open .github/workflows/dependabot-auto-approve.yml in your text editor and add the following content:
name: Dependabot Auto-Approve
on: pull_request
permissions:
pull-requests: write
jobs:
dependabot-approve:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Approve Dependabot PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}Creating the Auto-Merge Workflow
Step 1: Create the Auto-Merge Workflow File
Create a new file at .github/workflows/dependabot-auto-merge.yml:
touch .github/workflows/dependabot-auto-merge.ymlStep 2: Add the Workflow Configuration
Open .github/workflows/dependabot-auto-merge.yml in your text editor and add the following content:
name: Dependabot Auto-Merge
on: pull_request
permissions:
contents: write
pull-requests: write
jobs:
dependabot-auto-merge:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Enable auto-merge for Dependabot PRs
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}Submitting Your Changes
Step 1: Stage and Commit Your Changes
git add .github/dependabot.yml
git add .github/workflows/dependabot-auto-approve.yml
git add .github/workflows/dependabot-auto-merge.yml
git commit -m "Add Dependabot configuration with auto-approve and auto-merge workflows"Step 2: Push Your Branch
git push origin add-dependabot-workflowsStep 3: Create a Pull Request
- Navigate to your forked repository on GitHub
- You should see a prompt to create a pull request from your recently pushed branch
- Click Compare & pull request
- Fill in the pull request details:
- Title: “Add Dependabot configuration with auto-approve and auto-merge workflows”
- Description: Explain what you’ve added and why
- Click Create pull request
- Open the WP Training Team Repositories sheet and change the status to PR Created
Once the pull request is created, please request a review on the Pull Request from any of the following people:
- @psykro (jonathanbossenger on GitHub)
- @bph (bph on GitHub)
- @devmuhib (devmuhib009 on GitHub)
- @rjekic (rjekic on GitHub)
- @sumitsingh (sumitsinghwp on GitHub)
- @studionashvegas (thatmitchcanter on GitHub)
Step 4: Wait for Review and Merge
Once your pull request is created, maintainers of the WP Training Team organization will review your changes. If approved, they will merge your pull request into the main branch. Once this is complete, open the WP Training Team Repositories sheet and change the status to Merged
