when this plugin is triggered with the following yaml:

name: auto-merge

on:
  pull_request_target:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ahmadnassri/[email protected]
        with:
          github-token: ${{ secrets.token }}
          target: minor

it shows the following output:

Error: action triggered outside of a pull_request

Please give support for pull_request_target.

Motivation:
actions triggered from a dependabot PR are not using secrets unless you change pull_request to pull_request_target
https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

(this only work for GITHUB_TOKEN and not for personal access token)

https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/

Starting March 1st, 2021 workflow runs that are triggered by a pull request from Dependabot will be treated as if they were opened from a repository fork. This means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository. This will cause any workflows that attempt to write to the repository to fail.

If your workflow needs to have a write token, you can use the pull_request_target event; however, this is not viable for public repositories due to security risks

I have not seen any success with pull_request_target simply because no dependabot PRs has landed on my private repos since I changed to using pull_request_target but will update this issue and the README if I can validate them working...

pull_request_target might be acceptable for private repos... but I don't believe that will be good enough for public ones.

Hi,

really wondering why the auto-merge action ends with a manual merging required message on an semver:path updatet_type, dispite the configuration to allow semver:minor update_types in auto-merge.yml.

auto-merge.yml file content is

- match:
      dependency_type: all
      update_type: semver:minor # includes patch updates!

dependabot.yml file content is

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/cdk"
    schedule:
      interval: "weekly"
    versioning-strategy: auto
    labels:
      - "dependencies"
    allow:
      - dependency-type: "all"

.workflows/automerge-dependabot.yml file content is

name: Auto-approve Dependabot
on:
  pull_request:
    types:
      - labeled
      - opened
      - ready_for_review
      - reopened
      - synchronize
      - unlabeled
      - unlocked
jobs:
  auto-approve:
    runs-on: ubuntu-latest
    steps:
      - uses: hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd
        if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'dependabot-preview[bot]'
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
  auto-merge:
    # see .github/auto-merge.yml for match configuration
    runs-on: ubuntu-latest
    steps:
      - uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          github-token: ${{ secrets.DEPENDABOT_TOKEN }}

Action's output is

using workflow's "target": 
- match:
    dependency_type: all
    update_type: 'semver:patch'

title: "Bump v8-to-istanbul from 7.0.0 to 7.1.0 in /cdk"
depName: v8-to-istanbul
from: 7.0.0
to: 7.1.0
dependency type: production
security critical: false
config: all:semver:patch
manual merging required

could a tiny typo or whitespace issue cause that anomaly?

https://github.com/marketplace/actions/dependabot-auto-merge

The badge and https://github.com/ahmadnassri/action-dependabot-auto-merge/releases shows v2.3.1 as the latest version but on the Github marketplace it says 2.2.0.

Is it possible to use the github provided token (instead of a PAT) with permissions (for a privately hosted repository using pull_request_target)? If so, what are the permissions that are required?

I would like to use this action to approve and merge dependabot PRs once the rest of my CI checks pass. Note that some of my CI checks are not actions.

See https://github.com/mdn/yari/pull/1152/checks?check_run_id=1012806139
on this PR

Run ahmadnassri/action-dependabot-auto-merge@v1
/usr/bin/docker run --name ahmadnassriactiondependabotautomergev1_4f96b1 --label 8118cb --workdir /github/workspace --rm -e INPUT_GITHUB-TOKEN -e INPUT_TARGET -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/yari/yari":"/github/workspace" ahmadnassri/action-dependabot-auto-merge:v1
title: "Bump mdn-browser-compat-data from 1.0.34 to 1.0.35"
from: 1.0.34
to: 1.0.35
dependency update target is "patch", found "patch", will auto-merge
##[error]Unhandled error: TypeError: Cannot read property 'owner' of undefined

The workflow is here: https://github.com/mdn/yari/blob/master/.github/workflows/auto-merge.yml

I was trying to implement action-dependabot-auto-merge github action to automatically merge pull request in github for one of my repo

This is my workflow file

name: auto-merge

on:
  pull_request:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          github-token: ${{ secrets.BLENDTALE_GITHUB_BOT }}

But for some reason, it isn't merging in master. git shows that action ran successfully.

Any idea what I might be doing wrong?

Is there a way to get dependabot to use the "rebase and merge" strategy when auto merging so that merge commit messages aren't created? I can't seem to find a config option in dependabot for this.

All of a sudden I've been getting this error.

/action/node_modules/@actions/core/lib/core.js:94
        throw new Error(`Input required and not supplied: ${name}`);
              ^

Error: Input required and not supplied: github-token
    at Object.getInput (/action/node_modules/@actions/core/lib/core.js:94:15)
    at file:///action/index.js:28:15
    at ModuleJob.run (node:internal/modules/esm/module_job:154:23)
    at async Loader.import (node:internal/modules/esm/loader:166:24)
    at async Object.loadESM (node:internal/process/esm_loader:68:5)

E.g. https://github.com/mdn/content/pull/2964/checks?check_run_id=2066177430

I haven't touched my personal access tokens. And auto-merge hasn't been upgraded on the project in 3 months.
It just stopped working today all of a sudden.
Sample PR: mdn/content#2964

I don't know if it's a bug or user-error. Or a problem with GitHub Actions changing under our feet.

I did try generating a new access token (using the public_repo scope) to see if that would make it work. But arguably, it's a long shot because the error says the token isn't supplied.

 using workflow's "target": 
- match:
    dependency_type: all
    update_type: 'semver:minor'

title: "Bump ahmadnassri/action-dependabot-auto-merge from v2.1.4 to v2.2"
depName: ahmadnassri/action-dependabot-auto-merge
Warning: failed to parse title: no recognizable versions

From https://github.com/mdn/yari/pull/1514/checks?check_run_id=1290814201
and https://github.com/mdn/content/pull/56/checks?check_run_id=1290858376

There's definitely a from part in the title this time.

Is this perhaps something that was fixed in >2.1.4.

https://github.com/ioBroker/create-adapter/pull/593/checks?check_run_id=1191533085
Is there a way to pin actions to a specific version instead of just @v2 in order to avoid such issues in the future?

Log output:

loaded merge config: 
- match:
  dependency_type: development
  update_type: "semver:minor"
- match:
  dependency_type: production
  update_type: "security:minor"
- match:
  dependency_type: production
  update_type: "semver:patch"

title: "chore(deps-dev): bump @types/eslint from 7.2.2 to 7.2.3"
depName: @types/eslint
from: 7.2.2
to: 7.2.3
dependency type: development
security critical: false
Error: Cannot read property 'dependency_name' of null
TypeError: Cannot read property 'dependency_name' of null
    at default (file:///action/lib/parse.js:85:25)
    at default (file:///action/lib/index.js:20:19)
    at file:///action/index.js:51:7
    at ModuleJob.run (internal/modules/esm/module_job.js:140:23)
    at async Loader.import (internal/modules/esm/loader.js:165:24)
    at async Object.loadESM (internal/process/esm_loader.js:68:5)

In the README it's documented that approve defaults to true. However, I can't find this in the source code. To me it looks like it defaults to false. Is the documentation wrong or did I look in the wrong place?

Also, it looks like the action either approves or comments, not both. Is this correct? Am I supposed to run the action twice once to approve and once to comment?

Parsing the version from the dependabot docker image tags would be useful, but it does seem like it would require more work. One nice observation is that many of the official images have a tag scheme like:

SEMVER-stuff

https://github.com/docker-library/official-images#tags-and-aliases

I think it would be reasonable to fail parsing if no obvious version could be detected.

Here is an example PR: synclounge/syncloungeserver#63

https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/

There is a new trigger pull_request_target that allows to run actions in the base repo, even if the PR originates from a fork. This way, the action has access to the necessary secret and should not fail like it currently does on any foreign PR:
https://github.com/AlCalzone/node-zwave-js/pull/977/checks?check_run_id=1133804030

From the logs of a recent Dependabot PR that wasn't auto-merged:

title: "chore (deps): bump sample-dependency from 44.20210909.000327 to 44.20210909.015556"
depName: sample-dependency
from: 44.20210909.0
to: 44.20210909.0
dependency type: production
security critical: false
config: production:semver:patch
Warning: no version range detected in PR title
config: production:security:patch
config: sample-dependency:semver:minor
Warning: no version range detected in PR title
manual merging required

(changed name of dependency manually for the ticket)

The PR title contains a version range, however the commit title does not, it's just:

chore (deps): bump sample-dependency 

Not sure why it wouldn't merge the PR as it also clearly was able to detect both from from: and to: version and detect that it was a minor bump.

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Missing package.json file.

A package.json file at the root of your project is required to release on npm.

Please follow the npm guideline to create a valid package.json file.

Good luck with your project ✨

Your semantic-release bot 📦🚀

This action correctly makes a comment "@dependabot merge", however Dependabot responds with "Sorry, only users with push access can use that command."

I'm guessing the answer is yes but I want to be absolutely sure.
Sorry if this is more of a support question than an actual issue, but to remedy that: The README doesn't mention if this depends on CI passing entirely. :)

I have a need for triggering an auto-merge after another workflow is complete, which can be done with workflow_run. However, this isn't a supported Event type, only pull_request, pull_request_target therefore it errors:

Error: action triggered outside of a pull_request

And would like additional support.

Here is yml file for workflow:

name: Dependabot Automerge
on:
  workflow_run:
    workflows: ['CI']
    types:
      - completed

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    steps:
      - uses: actions/checkout@v2

      - uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          target: minor
          github-token: ${{ secrets.token }}

I am using "GitHub Action: Dependabot Auto Merge" and it looks like the action sends a "@dependabot merge" comment to a PR discussion. Unfortunately, dependabot is not able to merge because it tells me that it does not have push access.

Is there a setting that I am missing?

Screenshot

I'm looking for a way to replace the missing auto-merge functionality from dependabot, so your project is a godsend.
However its missing a crucial feature for me. In the old dependabot I could configure production and dev dependencies differently. I had it configured the following way:

• auto-merge patch updates to production dependencies
• auto-merge minor updates to dev dependencies
• auto-merge minor and patch security fixes

It would be great if you could add this feature :)

Can I auto merge only Pull Request that target a specific branch?

Use case:

I have staging branch I want all Pull Requests open by dependabot to be auto-merged when the CI (tests) is green.

First...this is a terrific Github action, and I look forward to continuing to see it evolve. That said, it does not flex sufficiently to deal with a variety of semver-derived version formats. You can say “hey, it’s not in the correct semver format”, and you’re right. 😄 But the reality is many developers (myself included) will use variations of semver for various reasons.

For example:

v1.2.3

is a very common version string. This creates a real problem for many users, and in glancing through your code:

you exit out when you can’t parse it to a canonical semver. I’d argue the right thing for the user is to attempt to parse it and if it’s one of the more common formats (e.g. v1.2.3), you should accept, not reject it. In short: if you can determine intent, the action should continue executing the action, not produce a warning and error out.

Otherwise, this terrific Github action is going to be of limited utility to a significant number of people because it doesn’t in fact auto-merge all the dependencies it should.

As an example of the above, setup-node, an incredibly common Github action that’s used pretty ubiquitously for many and it uses the v1.2.3 format:

https://github.com/actions/setup-node/releases

I saw this was discussed to some degree in #16 but I believe it warranted it’s own issue since the “fix” there is definitely not the expected behavior I, or I imagine many people, would expect here.

The right answer, I would argue is that it’s very clear what the version major, minor, and patch level is, and auto-merge should accept it, without complaining, and continue to execute the action.

@ahmadnassri I am using it in a Xamarin development that must run on macOS machines and this action is preventing me from running the workflow correctly.

Is this the case? Is there a way to solve it?

In fact, reading the documentation, it does not say anywhere that this action is not cross-platform.

Dependabot appears to have an issue with bumping to a pre-release version all of a sudden, and this is being exasberated by the fact that the Github action approves it too.

# merge minor development dependency updates
- match:
    dependency_type: development
    update_type: semver:minor # includes patch updates!

# merge patch production and security dependency updates
- match:
    dependency_type: production
    update_type: semver:minor

- match:
    dependency_type: production
    update_type: security:minor

title: "chore (deps): bump sample-gem from 6.1.0 to 6.2.0.pre.13056"
depName: sample-gem
from: 6.1.0
to: 6.2.0
dependency type: production
security critical: false
config: production:semver:minor
production:semver:minor detected, will auto-merge

Not sure if that's something that the GH action has control over because to: is clearly identified wrong, but still wanted to raise this, at minimum for awareness.

I was wondering about the fact how this GitHub Action actually work.

You mention in the readme: Note: Dependabot will wait until all your status checks pass before merging. This is a function of Dependabot itself, and not this Action.

I did some research about what this actually means; I wonder if you can kindly confirm my findings:

If this GitHub Actions issues a @dependabot merge comment, dependabot then waits for any GitHub Check visible in "Checks" tab on every PR before it actually merges (it's a feature of dependabot). This is a automatic for all GitHub Actions as they implicitly integrate with Checks API. But any 3rd party GitHub App that is part of repository's CI, but doesn't integrate with Checks API - dependabot will not wait for them and merges as soon as all Checks under PR's Checks reports success. Am I right in my assumptions?

Thank you!

With v2.0.2, the action now does what it is supposed to do, but looking at my logs, it still falls back to the default config (using workflow's "target") instead of reading .github/auto-merge.yml.

Any idea what might be causing this?

Hello,

when I set update_type as security:patch the auto merging doesn't work and it says manual merging required.

loaded merge config: 
# Fine-grained configuration

- match:
    dependency_type: all
    update_type: security:patch # includes patch updates!

title: "Bump axios from 0.21.0 to 0.21.1 in /npmfolder"
depName: axios
from: 0.21.0
to: 0.21.1
dependency type: production
security critical: false
config: all:security:patch
manual merging required

Here is how my workflow file looks like:

name: auto-merge

on:
  pull_request:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          github-token: ${{ secrets.mytoken }}

and here the config file:

# Fine-grained configuration

- match:
    dependency_type: all
    update_type: security:patch # includes patch updates!

Do you know what the problem could be?
I saw someone else had the same problem a few months ago in this issue: #18. There it seemed to have been a problem with the version of the Github Action. I'm using v2. I also tried v2.3.0 with no success.

Update: I saw now in the description of the action on the Github marketplace site that if the config is not update_type: all or update_type: semver:all the action falls back to manual merging. Can you explain to me why it's not possible for security:patch? Or will this be added in the future?

Thanks in advance!

Hello,

I've moved to the v2.0.1 of your action and I'm getting now this strange behaviour.

The target is set to minor, however when it finds a minor upgrade it doesn't merge it and says manual merging required.

Could you please let me know what's wrong?

 Run ahmadnassri/[email protected]
    approve: true
Run ahmadnassri/[email protected]
  with:
    target: minor
    github-token: ***
    command: merge
    approve: true
/usr/bin/docker run --name ahmadnassriactiondependabotautomergev2_7f5454 --label 3b3ac6 --workdir /github/workspace --rm -e INPUT_TARGET -e INPUT_GITHUB-TOKEN -e INPUT_COMMAND -e INPUT_APPROVE -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/BucketNetting/BucketNetting":"/github/workspace" ahmadnassri/action-dependabot-auto-merge:v2
using workflow's "target": 
- match:
    dependency_type: all
    update_type: 'semver:minor'

title: "Bump @babel/preset-env from 7.4.4 to 7.11.5 in /js"
depName: @babel/preset-env
from: 7.4.4
to: 7.11.5
dependency type: production
security critical: false
manual merging required

using workflow's "target": 
- match:
    dependency_type: all
    update_type: 'semver:minor'

title: "Update actions/setup-node requirement to v2.1.2"
depName: undefined
Warning: failed to parse title: could not detect dependency name

Here's the failing auto-merge run
Here's the PR itself

That depName: undefined looks suspiciously like a bug and the PR itself is pretty sane. So perhaps the mistake is that the it bailed and just did a warning.

Our devDependencies are NOT recognized as dependency type: development.

Extract from package.json:

  "devDependencies": {
    "@testing-library/react-hooks": "^5.1.3",
    "serve": "^11.3.2"
  }

And output from the GithubAction:

loaded merge config: 
- match:
    dependency_type: development
    update_type: all

- match:
    dependency_type: production
    update_type: security:minor

- match:
    dependency_type: production
    update_type: semver:minor
title: "Bump @testing-library/react-hooks from 5.1.3 to 7.0.2 in /frontend"
depName: @testing-library/react-hooks
from: 5.1.3
to: 7.0.2
dependency type: production
security critical: false
config: production:security:minor
config: production:semver:minor
manual merging required

and

loaded merge config: 
- match:
    dependency_type: development
    update_type: all

- match:
    dependency_type: production
    update_type: security:minor

- match:
    dependency_type: production
    update_type: semver:minor
title: "Bump serve from 11.3.2 to 12.0.1 in /frontend"
depName: serve
from: 11.3.2
to: 12.0.1
dependency type: production
security critical: false
config: production:security:minor
config: production:semver:minor
manual merging required

Any suggestions?

The run
The workflow file
The error:

Error: Cannot read property 'dependency_name' of null
TypeError: Cannot read property 'dependency_name' of null
    at default (file:///action/lib/parse.js:94:25)
    at default (file:///action/lib/index.js:20:19)
    at file:///action/index.js:52:7
    at ModuleJob.run (node:internal/modules/esm/module_job:152:23)
    at async Loader.import (node:internal/modules/esm/loader:166:24)
    at async Object.loadESM (node:internal/process/esm_loader:68:5)

Similar to #11, #21, #1…

@ahmadnassri is there a reason we can't just use github-token: ${{ secrets.GITHUB_TOKEN }} directly? (Obviously GITHUB_TOKEN has the correct scopes in my case.)

In the new version, a config file was introduced .github/auto-merge.yml. It would be helpful to have some documentation about what the default state is. For example, it appears that the default state is to not auto merge non security critical updates.

I use version strings that allow for updates to minor versions, such as:

importlib_metadata = { version = "^1.3.0", python = "< 3.8" }

The version restriction is ^1.3.0, a caret version, which allows 1.x major release provided it is equal to 1.3.0 or newer. A related syntax is a ~ tilde version restriction, which pins the minor version , such that ~1.3.0 would accept 1.3.8 but not 1.4.0.

Dependabot has upgraded this package to also accept 2.x, which for this specific package is a helluva good idea (not doing this would make my package not play ball in projects that also use libraries that have yet to update this dependency where others pin it to ^2.0.0), but auto-merge hasn't been able to parse the title:

title: "Update importlib-metadata requirement from ^1.3.0 to >=1.3,<3.0"
depName: requirement
Warning: failed to parse title: no recognizable versions

In my case, the action should not auto-approve as I set it to approve minor versions only, but it should at least be able to parse the above expanded range.

The Github action appears to be failing with "HttpError: Not Found" when trying to auto-merge (in this case a Node library update):

Run ahmadnassri/action-dependabot-auto-merge@v2
  with:
    github-token: ***
    config: .github/dependabot-auto-merge.config.yml
    command: merge
    approve: true
    target: patch

...

title: "chore (deps-dev): bump eslint-plugin-import from 2.24.0 to 2.24.2"
depName: eslint-plugin-import
from: 2.24.0
to: 2.24.2
dependency type: development
security critical: false
config: development:semver:minor
development:semver:minor detected, will auto-merge
Error: Not Found
HttpError: Not Found
    at /action/node_modules/@octokit/request/dist-node/index.js:66:23
    at processTicksAndRejections (node:internal/process/task_queues:94:5)
    at async approve (file:///action/lib/api.js:2:3)
    at async default (file:///action/lib/index.js:30:5)
    at async file:///action/index.js:52:1

It's not straightforward to understand that this is because the user who owns the PAT used for the auto-merge does not have write access to said repository.

It would be helpful to check access first, and if access overall isn't possible, log a message that clearly points to the access issue.

For context: This is for an "internal" repository (not a public one).

But i'm using a personal token 🤔

name: Dependabot
on: pull_request

jobs:
  auto-approve:
    runs-on: ubuntu-latest
    steps:
      - uses: hmarr/[email protected]
        if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: ahmadnassri/action-dependabot-auto-merge@v1
    with:
      target: patch
      github-token: ${{ secrets.DEPENDABOT_AUTOMERGE_TOKEN }}

I'm trying to use this Action (and GitHub Actions in general) for the first time.

I used the minimal set-up, but when I edit the .yml file, GitHub runs the action and it outputs Error: action triggered outside of a pull_request.

Is this because it's supposed to only run when there's a new Dependabot PR? Is it working as intended? I'm just really confused if I've set it up right, or not.

From https://github.com/npm/node-semver#caret-ranges-123-025-004

Allows changes that do not modify the left-most non-zero element in the [major, minor, patch] tuple. In other words, this allows patch and minor updates for versions 1.0.0 and above, patch updates for versions 0.X >=0.1.0, and no updates for versions 0.0.X.

Many authors treat a 0.x version as if the x were the major "breaking-change" indicator.

Caret ranges are ideal when an author may make breaking changes between 0.2.4 and 0.3.0 releases, which is a common practice. However, it presumes that there will not be breaking changes between 0.2.4 and 0.2.5. It allows for changes that are presumed to be additive (but non-breaking), according to commonly observed practices.

The original dependabot didn't auto-merge anything below 1.0.0. Although that could be a tad annoying, it might be worth to consider.

Since lately ahmadnassri/action-dependabot-auto-merge@v2 fails in my project with the following error message:

Run ahmadnassri/action-dependabot-auto-merge@v2
/usr/bin/docker run --name ghcrioahmadnassriactiondependabotautomergev2_046a38
/action/node_modules/@actions/core/lib/core.js:94
        throw new Error(`Input required and not supplied: ${name}`);
              ^

Error: Input required and not supplied: github-token
    at Object.getInput (/action/node_modules/@actions/core/lib/core.js:94:15)
    at file:///action/index.js:28:15
    at ModuleJob.run (node:internal/modules/esm/module_job:154:23)
    at async Loader.import (node:internal/modules/esm/loader:166:24)
    at async Object.loadESM (node:internal/process/esm_loader:68:5)

Here is my setup:

- name: 'Automerge dependency updates from Dependabot'
  uses: ahmadnassri/[email protected]
  # Guarantee that commit comes from Dependabot (don't blindly trust external GitHub action checks)
  if: github.event_name == 'pull_request' && github.actor == 'dependabot[bot]'
  with:
    github-token: ${{ secrets.GH_TOKEN }}

Does action-dependabot-auto-merge internally uses @actions/core?

Luckily, my repository is public so I can point you to my build log file:

• https://github.com/bennycode/coinbase-pro-node/pull/457/checks?check_run_id=2262852364

And here is my workflow setup:

• https://github.com/bennycode/coinbase-pro-node/blob/main/.github/workflows/continuous-integration.yml

@dependabot merge command is now broken dependabot/dependabot-core#3253

The issue is dependabot cannot access secrets when using pull_request event, but it works when we use pull_request_target.

But unfortunately, the merge commit created by the command @dependabot merge doesn't have access to secrets that break main branch checks.

My proposal would be to edit this action to support the workflow_run event as per described in dependabot/dependabot-core#3253 (comment) to ensure all checks are passing then to merge using gh pr merge --auto --merge "$PR_URL" instead of adding a @dependabot merge comment.

Another solution would be to customise the @dependabot to @bot for example so we can add additional action which will do the merge once we get the comment event.

Hello,
I'm getting this same error whenever the GitHub Action, which is based on the yaml below, is triggered.
Do you have an idea where it's coming from? Could it be the PAT doesn't have sufficient rights?

GitHub Action yml:

name: Automerge Dependabot

on: 
  pull_request:

jobs:
  automerge:
    runs-on: ubuntu-latest
    steps:
      - uses: ahmadnassri/action-dependabot-auto-merge@v1
        with:
          target: minor
          github-token: ${{ secrets.Auto_merge_PAT }}

Error Message:

Run ahmadnassri/action-dependabot-auto-merge@v1
  with:
    target: minor
    github-token: ***
    command: merge
    approve: true
/usr/bin/docker run --name ahmadnassriactiondependabotautomergev1_f9474f --label 3b3ac6 --workdir /github/workspace --rm -e INPUT_TARGET -e INPUT_GITHUB-TOKEN -e INPUT_COMMAND -e INPUT_APPROVE -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/BucketNetting/BucketNetting":"/github/workspace" ahmadnassri/action-dependabot-auto-merge:v1
title: "Bump handlebars from 4.1.2 to 4.7.6 in /js"
from: 4.1.2
to: 4.7.6
dependency update target is "minor", found "minor", will auto-merge
##[error]Not Found
HttpError: Not Found
    at /action/node_modules/@octokit/request/dist-node/index.js:66:23
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at async approve (file:///action/lib/api.js:2:3)
    at async default (file:///action/lib/index.js:33:5)
    at async file:///action/index.js:35:1

hi, thanks for this workflow I like it !
Would be nice to allow manual triggering the workflow currently that runs into an error ;

https://github.com/iobroker-community-adapters/ioBroker.coronavirus-statistics/runs/1111509298?check_suite_focus=true#step:4:8

Example action definition for manual run :

on:
  pull_request:
  workflow_dispatch:
    inputs:
      logLevel:
        description: 'Log level'     
        required: true
        default: 'warning'
      tags:
        description: 'Test scenario tags'  

Hey.

I believe that the action should be aware of digest versions, such as git submodules, or simply versions that do not follow semver for one reason or another.

Old dependabot assumed those to be on the level below patch updates: major > minor > patch > digest.

Right now the action simply fails to do anything with digest updates: example. I do not expect from the action to do anything smart with versions that do not follow semver, but it'd be nice to enable auto-merge support for them. All current targets (major, minor and patch) should probably include digest by default, and digest should probably be added as yet another level to merge. This is how it worked in "old" dependabot, but I'm also fine with any other way to specify that digest updates should also be merged together with one of the currently available 3 options for semver updates.

Thank you in advance for considering this enhancement.

Hello. I request a feature to add labels to auto-merged PR.

In a workflow in my project, after a PR is merged by action-dependabot-auto-merge, another step adds a "automerge" label. This is a bit wasteful and complex.

I'm getting this warning (Which then stops merging) quite a lot, even though there is (to my understanding) a version range in the PR title, in the latest case it was 9.4 -> 9.4.2. Is there something wrong in the setup? The composer file in this instance has ^9.0.2 as the version constraint.

Any help would be great, and thanks for maintaining this 🙏

The Full Run
Workflow File

2020-12-31T18:18:58.0614594Z /action/node_modules/@actions/core/lib/core.js:94
2020-12-31T18:18:58.0615873Z         throw new Error(`Input required and not supplied: ${name}`);
2020-12-31T18:18:58.0616603Z               ^
2020-12-31T18:18:58.0617075Z 
2020-12-31T18:18:58.0618377Z Error: Input required and not supplied: github-token
2020-12-31T18:18:58.0619494Z     at Object.getInput (/action/node_modules/@actions/core/lib/core.js:94:15)
2020-12-31T18:18:58.0620346Z     at file:///action/index.js:28:15
2020-12-31T18:18:58.0621151Z     at ModuleJob.run (node:internal/modules/esm/module_job:152:23)
2020-12-31T18:18:58.0622009Z     at async Loader.import (node:internal/modules/esm/loader:166:24)
2020-12-31T18:18:58.0623624Z     at async Object.loadESM (node:internal/process/esm_loader:68:5)

mdn/yari#1231 failed because of this error:

https://github.com/mdn/yari/pull/1231/checks?check_run_id=1094792761

Workflow here

The current behavior is that the target must match exactly for the action to auto merge. For example, if you set target to minor, it will only auto merge minor PRs and not patch PRs. I could see this as being the intended behavior

The way I get it to work is by using the action multiple times.

    steps:
      - uses: ahmadnassri/[email protected]
        with:
          target: patch
      - uses: ahmadnassri/[email protected]
        with:
          target: minor

It works fine with invoking this action multiple times but would you consider adding the ability to add multiple targets or an option to make it auto merge PRs with versions less than or equal to target?

See https://github.com/mdn/content/pull/216/checks?check_run_id=1555249799

Run ahmadnassri/[email protected]
/usr/bin/docker run --name ghcrioahmadnassriactiondependabotautomergev2_fb18bb --label 179394 --workdir /github/workspace --rm -e INPUT_GITHUB-TOKEN -e INPUT_COMMAND -e INPUT_APPROVE -e INPUT_TARGET -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/content/content":"/github/workspace" ghcr.io/ahmadnassri/action-dependabot-auto-merge:v2
Error: EISDIR: illegal operation on a directory, read
Error: EISDIR: illegal operation on a directory, read
    at Object.readSync (node:fs:611:3)
    at tryReadSync (node:fs:385:20)
    at Object.readFileSync (node:fs:422:19)
    at default (file:///action/lib/config.js:18:27)
    at default (file:///action/lib/index.js:23:13)
    at file:///action/index.js:52:7
    at ModuleJob.run (node:internal/modules/esm/module_job:152:23)
    at async Loader.import (node:internal/modules/esm/loader:166:24)
    at async Object.loadESM (node:internal/process/esm_loader:68:5)

The config is here: https://github.com/mdn/content/blob/main/.github/workflows/auto-merge.yml