Goodbye Dependabot, Hello Batch Dependency Updates

swyx

2022-02-05

swyxkit depends on alpha software, primarily sveltekit, but also has a dozen more dependencies that move on a fairly frequent basis. The problem of keeping dependencies up to date is a pressing one.

The usual answer to this is Dependabot, which is available as a one click setting inside of GitHub. However, it generates a new PR per dependency update, which usually gets fairly annoying.

Fred Schott from Astro recently tweeted about how they do nightly lockfile updates, which seems like a much smarter solution: https://twitter.com/FredKSchott/status/1489287560387956736

I adapted it to make it weekly, and figured I’d share the process.

Step 1 - Add a new GitHub Action.

Pretty much just create a file like this one, GH actions are so easy to make. I modified the cron syntax to only run once a week to limit the amount of updates going on.

name: 'Nightly'

on:
  schedule:
    # Runs at 12:00 UTC on Fri.
    - cron:  '0 12 * * 5'
  workflow_dispatch:

jobs:
  lockfile:
    if: github.repository_owner == 'sw-yx'
    runs-on: ubuntu-latest
    steps:
      
      - name: Check out code using Git
        uses: actions/checkout@v2
      
      - name: Set Node version to 16
        uses: actions/setup-node@v2
        with:
          node-version: 16
          cache: 'npm'
      
      - name: Clear lockfile
        run: rm -rf package-lock.json node_modules 
      
      - name: Install dependencies
        run: npm install --ignore-engines --ignore-scripts
      
      - name: Create Pull Request
        id: createpr
        uses: peter-evans/create-pull-request@v3
        with:
          token: ${{ secrets.NIGHTLY_PERSONAL_GITHUB_TOKEN }}
          commit-message: '[ci] update lockfile'
          title: '[ci] update lockfile'
          body: >
            This PR is auto-generated by a nightly GitHub action. 
            It should automatically be merged if tests pass.
      
      - name: Mark Pull Request for Auto-Merge
        if: steps.createpr.outputs.pull-request-operation == 'created'
        uses: peter-evans/enable-pull-request-automerge@v1
        with:
          token: ${{ secrets.NIGHTLY_PERSONAL_GITHUB_TOKEN }}
          pull-request-number: ${{ steps.createpr.outputs.pull-request-number }}
          merge-method: squash

Step 2 - create your token

Notice that the script depends on a NIGHTLY_PERSONAL_GITHUB_TOKEN variable. You can create it here: https://github.com/settings/tokens

image

and enter it here in your project

image

    Tagged in: #dx #github

    Reactions: 👍 2
    Loading comments...

    Subscribe to the newsletter

    Get emails from me about Lorem ipsum dolor sit, amet consectetur adipisicing elit. Libero, ducimus..

    5,432 subscribers including my Mom – 123 issues

    Latest Posts

    Search and see all posts